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Abstract 

The  culture,  design,  and  operation  of  the  maritime  industry  all  contribute  to  create  an  error- 
inducing  system.  As  oil  tankers  have  become  larger,  the  tolerance  for  error  has  decreased  as 
the  consequences  have  increased.  Highly  visible  oil  spills  have  made  society  more  aware  of 
the  dangers  inherent  with  transporting  oil  at  sea. 

A  probabilistic  risk  assessment  (PRA)  provides  a  formal  process  of  determining  the  fiill  range 
of  possible  adverse  occurrences,  probabilities,  and  expected  costs  for  any  undesirable  event. 
A  PRA  can  identify  those  areas  that  offer  the  greatest  risk-reducing  potential.  Once  the 
components  with  the  greatest  risk-reducing  potential  are  identified,  appropriate  technology 
and  management  schemes  can  properly  influence  risk  reduction. 

Humans  contribute  to  high  consequence  accidents  in  the  design,  construction  and  operations 
phases  of  an  engineering  system.  While  human  error  is  attributed  to  80  percent  of  the  marine 
accidents,  a  closer  look  reveals  that  many  accidents  attributed  to  human  error  are  system  er¬ 
rors. 

An  application  of  a  qualitative  risk  assessment  is  done  for  tanker  groundings.  A  fault  tree  is 
developed  to  describe  the  top  event  of  a  tanker  grounding.  A  number  of  well-known 
groundings  are  analyzed  to  test  the  utility  of  the  grounding  fault  tree. 
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Chapter  1  Introduction 

1.1  The  Need  for  an  Assessment 

Operating  on  the  ocean  inherently  involves  a  risk  environment  that  differs  significantly 
from  what  the  majority  of  people  encounter  on  a  daily  basis.  Mariners  are  familiar  with  these 
risks  in  practical  terms,  but  there  are  no  practical  means  for  mariners  to  fully  assess  all  the 
factors  that  could  affect  safety  [48].  Accepting  these  risks  is  considered  a  tradition  of  the  sea 
[53].  Risk  management  for  the  mariner  often  depends  upon  his  or  her  perception  of  the  risk 
at  hand,  and  a  personal  judgment  of  how  to  react  to  that  risk.  Thus,  symptoms  rather  than 
causes  are  often  treated  [48]. 

Until  recently,  the  environmental  risks  of  transporting  large  quantities  of  hazardous 
material  have  been  seemingly  underestimated  or  ignored.  While  the  recent  accidents  of  the 
Exxon  Valdez  and  the  Braer  have  rallied  public  outcries,  the  political  and  legislative  response 
has  been  typified  as  reactive.  Despite  restructuring,  the  regulatory  framework’s  efficacy  re¬ 
mains  questionable. 

It  is  estimated  that  3.3  million  tons  of  petroleum  hydrocarbons  enter  the  marine  envi¬ 
ronment  annually  (Table  1-1)  [47].  The  maritime  industry,  mostly  tankers,  contributes  forty- 
five  percent  of  the  pollution. 
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Table  1-1:  Input  of  Petroleum  into  the  Marine  Environment  - 1985  Estimates 


Source 

Best  Estimated  Input 

(million  tons  per  year) 

Natural  sources 

0.25 

Offshore  Production 

0.05 

Maritime  Transportation 

Tanker  Operation 

0.70 

Tanker  Accidents 

0.40 

Other 

0.40 

1.5 

Atmospheric  Pollution  Carried  to  Sea 

0.3 

Municipal  and  Industrial  Wastes  and  Runoff 

1.18 

Total 

3.3 

In  1992,  oil  tankers  carried  1,850  million  tons  of  cargoes  representing  nearly  44  per¬ 
cent  of  all  the  seaborne  trade  [63],  As  the  United  States  and  other  member  countries  of  the 
Organization  for  Economic  Cooperation  and  Development  (OECD)  continue  to  decline  in 
domestic  oil  production,  it  is  expected  that  their  import  dependence  will  rise  from  58  percent 
in  1992  to  70  percent  by  2010  [63],  The  demand  for  oil  in  the  rest  of  the  world  is  expected 
to  rise  even  faster,  doubling  by  2010  [63],  With  the  projected  increases  in  oil  demand,  and 
the  Organization  of  Petroleum  Exporting  Countries  (OPEC)  the  likely  source,  tanker  demand 
will  increase  as  the  world’s  dependence  on  OPEC  increases.  While  the  amount  of  petroleum 
pollution  compared  to  the  amount  of  petroleum  transported  at  sea  is  very  small,  with  more 
tankers  delivering  more  oil,  it  is  likely  that  marine  oil  pollution  will  increase.  To  minimize  the 
amount  of  petroleum  hydrocarbons  entering  the  oceans  from  the  tanker  industry,  a  thorough 
evaluation  of  the  entire  industry  must  be  done  to  incorporate  effective  improvements.  Recent 
studies  have  shown  that  operational  oil  pollution,  contributed  by  tankers,  has  been  reduced  by 
78  percent  [27],  however,  spills  from  accidents  vary  enormously  from  year  to  year. 

The  petroleum  industry  contributed  over  8  trillion  ton-miles  to  the  world’s  seaborne 
trade  in  1992  [63].  The  transportation  of  crude  oil  and  petroleum  products  represent  the 
largest  singe  contribution  to  seaborne  trade  (Figure  1-1)[63].  Because  the  movement  of  oil  is 
the  foundation  of  the  industry’s  structure,  slowing  the  movement  of  oil  would  slow  the 
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movement  of  cash. 


^iTlTlTlB 
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Figure  1-1:  World  Seaborne  Trade  by  Types  of  Cargo 


There  is  some  evidence  to  link  tanker  age  to  serious  casualties  [47],  The  world’s 
tanker  fleet  continues  to  age~the  average  tanker  age  in  1992  was  16.72  years  [63].  With 
most  of  the  world’s  oil  moved  by  ship,  the  expected  demand  on  an  aging  fleet  can  conceiva¬ 
bly  lead  to  more  accidents. 

There  are  a  number  of  issues  outlined  in  Table  1-2  confronting  the  oil  tanker  industry 
as  to  how  to  best  minimize  pollution.  These  issues  cannot  be  properly  addressed  until  there  is 
a  thorough  understanding  of  all  the  risks  involved  with  transporting  oil  at  sea. 


Table  1-2:  Oil  Tanker  Issues  Associated  With  Minimizing  Pollution 


Port  Control 

Crew  Rotation 

Machinery  Redundancy 

Liability 

Flag  State  Control 

Crew  Training 

Structural  Integrity 

Economics 

Vessel  Traffic 

Crew  Licensing 

Automation 

Crew  Size 

Navigation  Systems 

Law  of  the  Sea 

Communication 
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Perrow  has  called  the  maritime  industry  an  “error-inducing”  system  [53].  “The  con¬ 
figuration  of  its  many  components  induces  errors  and  defeats  attempts  at  error  reduction” 
[53].  Discrete  attempts  at  correcting  the  system  will  be  defeated  by  something  else  in  the 
system.  Once  the  risks  are  understood,  and  consideration  is  made  of  all  the  issues,  the  com¬ 
ponents  of  the  system,  and  their  synergism,  the  proper  regulatory  fi-amework  can  be  devel¬ 
oped  which  addresses  a  wholesale  solution  rather  than  discrete  problems.  The  result  can  be 
an  error-neutral,  or  an  error-avoiding  system. 


1.2  Outline 

This  thesis  begins  by  showing  that  there  is  a  need  for  a  total  systems  approach  to  risk 
and  risk  management  in  the  oil  tanker  industry.  Chapter  2  offers  a  brief  history  of  the  oil 
tanker  industry  and  the  regulation  thereof  Subsequently,  in  Chapter  3,  regulatory  considera¬ 
tions  are  presented  which  allow  for  innovation  while  minimizing  the  risk  of  pollution.  Chap¬ 
ter  4  then  presents  the  paradigm  to  follow  for  a  complete  risk  assessment.  Given  that  a  large 
percentage  of  marine  accidents  are  attributed  to  human  error.  Chapter  5  explores  the  causes 
and  classifies  human  error.  Since  proper  piloting  and  navigation  are  so  fundamental  to  a  safe 
voyage.  Chapter  6  offers  the  introductory  concepts  of  piloting  and  navigating  a  ship.  The 
first  step  of  a  PRA  is  to  identify  the  system  failures  and  sequences.  In  Chapter  7,  a  fault  tree 
for  oil  tanker  groundings  is  developed  to  identify  system  failures  and  sequences.  To  show  the 
utility  of  the  fault  tree,  some  well-documented  tanker  groundings  are  undertaken  as  case 
studies  in  Chapter  8.  Finally,  the  conclusions  and  recommendations  are  presented  in  Chapter 
9. 
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Chapter!  History 

2.1  Oil  Tanker  History 

The  first  commercial  oil  well  was  established  in  1859  in  Titusville,  Pennsylvania. 
Pennsylvania  crude  was  shipped  from  wells  to  refineries  in  wooden  barrels  to  make  kerosene. 
The  first  transatlantic  shipment  of  petroleum,  conducted  in  1861,  is  attributed  to  the  224-ton 
Elizebeth  Watts,  a  two-masted,  square-rigged  sailing  vessel.  As  shipments  began  to  increase, 
the  disadvantages  of  shipping  petroleum  in  wooden  barrels  led  to  the  use  of  5  gallon  tins 
[56],  But  the  expense  of  tins  gave  way  to  the  obvious  solution  of  shipping  in  bulk. 

The  Atlantic  was  launched  in  1863  as  the  first  ship  designed  to  carry  oil  in  bulk  [62], 
An  iron  sailing  ship,  the  Atlantic  and  all  following  tankships  used  the  hull  as  the  container  for 
the  cargo.  In  1885,  99  percent  of  American  oil  exports  were  still  carried  in  barrels.  The 
complete  transition  of  the  marine  petroleum  transportation  industry  to  a  bulk  system  occurred 
after  the  launching  of  Gluckauf,  in  1886.  Displacing  approximately  3,000  dead  weight  tons 
(dwt),  the  Gluckauf  was  the  first  ship  to  have  the  essential  features  of  a  modem  tanker.  By 
1906,  99  percent  of  American  oil  exports  was  carried  in  bulk  tankers  [37]. 

By  1921,  the  world  tanker  fleet  had  grown  to  7  million  dwt  [37].  As  the  fleet  had 
grown,  so  had  the  size  of  each  ship.  During  World  War  II,  the  demand  for  petroleum  far  ex¬ 
ceeded  the  capabilities  of  the  pre-war  fleet.  Therefore,  the  U.S.  built  532  tankers  of  the  T-2 
class  that  displaced  16,600  dwt.  After  the  war,  oil  companies  began  to  recognize  the  profits 
from  economies  of  scale.  In  1949,  ships  in  the  27,000  dwt  range  were  considered  supertank¬ 
ers. 
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The  incredible  post-war  economic  growth,  fueled  by  oil,  made  it  profitable  to  build 
local  refineries,  thereby  giving  new  importance  to  the  shipment  of  crude  oil.  By  the  mid 
1960’s,  more  than  half  the  world’s  seaborne  cargo  consisted  of  crude  or  refined  petroleum 
[11]. 

In  1956,  Egypt  took  control  of  the  Suez  Canal,  and  closed  it.  The  ramifications  of 
closing  the  \dtal  passage,  used  by  tankers  to  carry  oil  to  Europe,  spawned  owners  to  build 
bigger  ships  to  make  the  passage  around  the  Cape  of  Good  Hope.  In  1957,  the  largest  tanker 
was  57,000  dwt.  In  1966  the  first  supertanker  was  launched,  displacing  210,000  dwt.  By  the 
mid  seventies,  ships  were  being  built  in  the  500,000  dwt  range  and  the  1,000,000  dwt  tanker 
was  on  the  drawing  board. 

As  tankers  became  larger,  the  potential  damage  they  could  impose  upon  the  environ¬ 
ment  increased.  Limitations  on  tanker  size  had  been  imposed  by  operational  and  economic 
factors,*  rather  than  technical  constraints.  Yet,  the  effects  of  spills  from  the  likes  of  the  Tor- 
rey  Canyon,  and  the  Amoco  Cadiz,  have  allowed  public  opinion  to  limit  the  size  of  tankers.^ 
Considering  the  more  recent  Exxon  Valdez  accident,  it  is  unlikely  that  future  tanker  size  will 
ever  exceed  500,000  dwt. 

Currently,  the  world’s  tanker  fleet  is  over  263  million  dwt  [63],  with  over  6000  tank¬ 
ers  sailing  the  oceans  [47].  Of  the  world’s  merchant  fleet,  tankers  represent  the  oldest  type 
of  vessel.  The  average  age  of  a  tanker  is  16.72  years  with  62  percent  of  the  tankers  being 
built  more  than  15  years  ago  [63],  and  27  percent  more  than  25  years  old  [50].  With  an  ag¬ 
ing  fleet  serving  a  world  economy  thirsty  for  oil,  the  potential  for  disaster  remains  greater 
than  ever. 


’  In  the  last  25  years,  the  transportation  costs  of  oil  have  decreased  from  approximately  50  to  10  percent  of 
the  delivered  price.  Therefore,  there  is  less  incentive  to  build  larger  tankers,  especially  with  the  increasing 
role  of  liability. 

^  The  state  of  Washington  limits  tankers  operating  in  its  waters  to  125,000  dwt. 
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2.2  Oil  and  Water 


Oil  is  an  amalgam  of  thousands  of  chemicals,  and  each  chemical  affects  the  marine 
environment  in  a  different  way  [17].  The  environment  itself  lends  uncertainty  into  any  chemi¬ 
cal’s  effect.  Wind,  waves,  current,  temperature,  and  sunlight,  all  affect  the  ability  of  the  oil  to 
disperse,  dissolve,  and  biodegrade  [17], 

Ever  since  ships  began  transporting  petroleum  products  there  was  pollution  of  the 
seas.  Barrels  used  in  the  19th  century  would  typically  lose  between  5  and  12  percent  of  their 
contents  [56],  Not  only  did  the  leaky  barrels  cause  pollution,  but  when  loaded  on  a  ship,  the 
vapors  could  turn  the  ship  into  a  floating  bomb.  A  number  of  the  ships  used  in  the  19th  cen¬ 
tury  to  transport  oil,  left  port  never  to  be  seen  again. 

It  was  not  until  the  20th  century  that  concerns  for  pollution  began  to  be  voiced.  As 
Table  1-1  shows,  tanker  operation  accounts  for  nearly  1.1  million  tons  of  petroleum  pollution 
annually.  Most  of  the  pollution  comes  from  operations  such  as  loading,  unloading,  ballasting, 
etc.  In  1964,  the  major  oil  companies  decided  on  steps  to  reduce  and  remove  all  unwanted 
effects  from  discharging  oil  contaminated  water  by  introducing  the  load-on-top  tech¬ 
nique.  [58]  ^ 

Although  numerous,  operational  spills  are  typically  small,  and  isolated  from  the  pub¬ 
lic.  It  was  the  Torrey  Canyon  spill,  in  March  of  1967,  which  opened  the  modem  world’s 
eyes  to  the  potential  damage  to  be  offered  by  the  transporting  of  large  quantities  of  oil.  The 
Torrey  Canyon  accident  was  the  first  oil  spill  to  receive  such  widespread  publicity. 

As  tankers  grew  in  size,  new  problems  were  encountered.  In  December  of  1969, 
three  large  tankers  exploded  while  cleaning  the  tanks;  \h&Marpessa,  Mactra,  and  Kong 
Haakon  VII.  It  was  discovered  that  high  velocity  water,  used  to  clean  the  tanks,  created 


^  It  is  estimated  that  0.2  to  0.5  percent  of  a  tanker’s  cargo  remains  on  board  in  the  form  of  residue  after  dis¬ 
charge  [58].  For  a  250,000  dwt  tanker,  this  represents  1,250  tons  of  residue  which  previously  would  have 
been  washed  over  the  side.  The  load-on-top  technique  is  a  method  of  ballasting.  Simply  described,  after  a 
tanker  discharges  its  cargo,  its  tanks  are  cleaned  and  filled  with  ballast.  The  tanks  setie  with  time  and  the 
water  which  has  separated  to  the  bottom  is  pumped  overboard  and  the  oil  residues  are  then  pumped  to  a  slop 
tank  to  be  retained  and  intermingled  with  the  next  cargo.  Literally,  loaded  on  top  of  the  residues. 
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enough  static  electricity  to  ignite  the  fumes  in  the  tanks.  These  catastrophes  led  to  the  inert 
gas  systems'*,  and  crude  oil  washing* ,  now  employed  on  all  large  tankers. 

The  1970’s  provided  more  examples  of  the  hazards  offered  by  tankers.  In  1976 
alone,  19  tankers  went  aground,  exploded,  or  sank.  The  1970’s  culminated  with  the  worst 
tanker  accident  ever— the  collision  of  the  two  supertankers  Atlantic  Empress  and  Aegan 
Captain  off  the  coast  of  Tobago. 

The  U.S.  has  not  been  spared  from  its  share  of  tanker  accidents.  Table  2-1  [49] 
shows  a  list  of  tanker  oil  spills  exceeding  1  million  gallons  that  occurred  in  U.S.  waters  from 
1976  to  1989.  Even  though  all  the  spills  were  significant  in  terms  of  the  amount,  the  spills 
between  the  Argo  Merchant  and  the  Exxon  Valdez  either  did  not  occur  in  an  area  considered 
environmentally  sensitive,  or  they  were  not  sufficiently  spectacular  to  invigorate  the  media  to 
evoke  a  widespread  public  response. 


Table  2-1:  U.S.  Tanker  Spills  Exceeding  1  Million  gallons  1976-1989 


DATE 

SOURCE 

LOCATION 

MILLION 

GALLONS 

SPILLED 

CAUSE 

3-24-89 

Exxon  Valdez 

Prince  William  Sound,  Alaska 

10.8 

grounding 

10-31-84 

Puerto  Rican 

off  San  Francisco,  California 

2.0 

explosion/fire 

7-30-84 

Alvenus 

off  Cameron,  Louisiana 

2.8 

grounding 

3-31-82 

Arkas 

Montz,  Louisiana 

1.47 

collision/fire 

1-28-81 

Olympic  Glory 

Galveston  Bay,  Texas 

1.0 

collision 

11-22-80 

Georgia 

Pilottown,  Louisiana 

1.3 

holed  by  anchor  chain 

11-1-79 

Burmah  Agate 

Galveston  Bay,  Texas 

10.7 

collision/fire/explosion 

12-15-76 

Argo  Merchant 

off  southeastern  Massachusetts 

^■1 

grounding 

*  Petroleum  vapors  are  flammable  for  a  small  range  of  airA^apor  mixtures.  The  object  of  an  inert  gas  system 
is  to  reduce  the  oxygen  level  in  the  tank  atmosphere  by  replacing  it  with  some  other  gas.  This  is  accom¬ 
plished  by  either  using  the  flue  gasses  from  the  boilers  or  utilizing  a  separate  inert  gas  generator. 

^  Crude  oil  washing  employs  the  cargo  itself  to  wash  the  tanks.  It  has  been  shown  to  leave  less  residue  and 
clean  the  tanks  better  than  water.  The  electro-static  charge  generated  by  washing  with  crude  oil  is  signifi¬ 
cantly  less  than  that  of  water.  However,  if  there  is  water  in  the  oil,  the  generated  electro-static  charge  can  be 
greater.  Therefore,  crude  oil  washing  must  be  employed  with  inert  gas  systems. 
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2.3  International  Regulation  History 


Marine  pollution  from  tankers  is  generally  put  into  two  categories: 

1.  Operational:  discharges  which  occur  during  loading/unloading,  ballasting, 
and  tank  cleaning. 

2.  Accidental:  spills  resulting  from  a  tanker  casualty. 

With  “Freedom  of  the  Seas”  as  a  first  principle,  making  the  oceans  common  property,  it  has 
been  necessary  to  address  marine  pollution  on  an  international  level.  Hence,  various  interna¬ 
tional  agencies,  conventions,  and  conferences  have  emerged  to  address  both  operational  and 
accidental  spills  to  varying  degrees. 

General  concern  for  oil  pollution  began  in  the  1920’s  when  pollution  was  addressed  at 
the  International  Maritime  Conference  in  Washington,  D.C..  Despite  issues  being  addressed 
in  both  technical  and  legal  terms,  the  convention  failed  to  be  ratified  by  any  nation  [51]. 

During  World  War  II,  nearly  20  million  barrels  of  oil  spilled  into  the  Atlantic  Ocean  as 
a  consequence  of  war.  With  the  lingering  pollution  of  the  war,  the  increase  in  petroleum  de¬ 
mand,  and  continued  discharges  of  oil  into  the  sea,  there  was  another  attempt  to  attack  the 
problem  at  an  international  level.  In  1954,  the  International  Convention  on  the  Prevention  of 
Oil  Pollution  met  with  the  premise  to  prohibit  the  intentional  discharge  of  oil  and  oily  mix¬ 
tures.  Under  this  Convention,  and  subsequent  amendments,  a  system  of  zonal  controls  was 
created,  prohibiting  discharges  within  50  miles  of  the  coast,  and  otherwise  limited  dirty  bal¬ 
last  discharges  to  a  proscribed  rate[9]. 

In  1958,  the  United  Nations  held  the  first  Conference  on  the  Law  of  the  Sea 
(UNCLOS  I)  and  formed  the  Intergovernmental  Maritime  Consultative  Organizations 
(IMCO),  now  known  as  the  International  Maritime  Organization  (IMO).  The  IMO  has 
become  the  primary  force  behind  international  maritime  issues.  UNCLOS  I  resulted  in  two 
conventions  which  addressed  pollution.  Issues  of  coastal  state’s  rights  verses  freedom  of  the 
seas  began  to  emerge  regarding  pollution.  The  Convention  on  the  High  Seas  attempted  to 
temper  the  controversy  by  calling  on  all  nations  to  cooperate  with  international  organizations 
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to  prevent  pollution  of  the  seas  [65],  The  second  convention,  the  Convention  on  the 
Territorial  Sea  and  the  Contiguous  Zones,  declared  coastal  state’s  rights  in  the  12  mile 
territorial  waters.  But  the  language  was  broad  and  it  did  not  specifically  address  oil  pollution, 
liability,  and  damages. 

In  1967,  when  the  Toney  Carbon  spilled  nearly  120,000  tons  of  crude  oil  off  the 
southwest  coast  of  England,  the  reality  of  the  hazards  involved  with  transporting  oil  came  to 
light.  Issues  involving  the  coastal  states’  right  to  take  preventive  action  on  the  high  seas  to 
protect  its  shores  contradicted  with  the  traditional  “freedom  of  the  sea’s”  philosophy.  The 
International  Convention  Relating  to  Intervention  on  the  High  Seas  in  Cases  of  Oil  Pollution 
Casualties,  in  1969,  provided  coastal  states  with  emergency  response  power  beyond 
territorial  waters  in  order  to  prevent,  mitigate,  or  eliminate  grave  and  imminent  danger  to  the 
marine  environment  when  there  was  an  expectation  of  major  harmful  consequences  [65]. 

The  Toney  Canyon  spill  became  a  catalyst  for  issues  of  liability.  The  1969 
International  Convention  on  Civil  Liability  for  Oil  Pollution  Damage  provides  a  legal  basis  for 
claims  of  damages  to  a  state’s  territorial  sea  or  coast.  The  convention  imposes  strict  liability 
on  the  ship  owner  and  requires  vessels  to  have  certificates  of  financial  responsibility  (COFR) 
to  the  liability  limits  [9].  The  liability  limit  of  the  convention  was  placed  at  $18  million.  The 
1971  International  Convention  on  the  Establishment  of  an  International  Fund  for 
Compensation  for  Oil  Pollution  Damage  was  intended  to  supplement  the  inadequate  liability 
limits,  raising  the  limit  to  $79  million. 

As  a  result  of  the  Toney  Canyon  spill,  the  IMCO  took  a  more  comprehensive 
approach  to  oil  pollution  and  adopted  the  1973  International  Convention  for  the  Prevention 
of  Pollution  from  Ships  (MARPOL).  But  a  series  of  groundings,  collisions,  and  explosions 
between  1974  and  1977  resulted  in  a  number  of  coastal  states  demanding  another  conference, 
leading  to  the  subsequent  1978  Protocol  (MARPOL  73/78).  MARPOL  73/78  supersedes  the 
1954  convention  and  addresses  pollution  more  comprehensively  with  both  operational  and 
technological  requirements.  Operational  discharges  are  excluded  within  50  miles  of  land  and 
within  special  areas.  Outside  of  these  exclusion  zones,  discharges  are  limited  to  proscribed 
amounts  achievable  by  either  load  on  top  or  shore  discharge  facilities.  Machinery  space 
bilges  are  required  to  have  monitoring  equipment  to  control  effluent.  Additionally, 
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MARPOL  73/78  provides  technical  requirements  for  the  design  and  construction  of  oil 
tankers  including  segregated  ballast  tanks,  crude  oil  washing  systems  gas  inerting  systems, 
retrofitting  schemes,  steering  equipment,  and  navigational  aids. 

The  apparent  effectiveness  of  the  conferences  seemed  questionable,  when  within  one 
month  of  the  1978  conference,  the  Amoco  Cadiz  grounded  and  spilled  over  200,000  tons  of 
Iranian  crude  off  the  coast  of  France.  In  spite  of  the  spill,  MARPOL  73/78  remained  as  the 
principle  international  regulatory  document  addressing  maritime  pollution. 

Despite  the  advances  made  by  MARPOL  73/78  to  prevent  pollution,  it  left  the 
responsibility  of  enforcement  \^dth  the  country  in  which  the  vessel  was  registered  (flag  state). 
With  a  trend  of  ship  owners  registering  under  flags  of  convenience,  there  was  little  economic 
incentive  for  these  third-world  flags  to  engage  in  a  vigorous  enforcement  effort  against  its 
ships  in  distant  waters  [9].  UNCLOS  HI  was  designed  to  increase  port  state  authority  and 
extend  limited  authority  over  foreign  vessels  in  the  exclusive  economic  zone  (EEZ).* 

The  IMO  has  typically  approached  marine  safety  from  a  technical  perspective  [65], 
but  the  awareness  of  the  role  that  human  factors  have  in  the  steady  occurrence  of  marine 
casualties  has  led  to  different  approach.  In  November  1993,  the  IMO  adopted  Resolution 
A.741(18)  —  the  International  Safety  Management  Code  (ISM  Code).  The  ISM  Code 
addresses  shipboard  and  shore-based  management  for  the  safe  operation  of  ships,  and  the 
prevention  of  pollution.  The  focus  of  the  ISM  Code  is  on  a  management  system.  The  ISM 
Code  encourages  those  responsible  for  the  operation  of  ships  to  take  appropriate  steps  to 
develop,  implement,  and  assess  safety  and  pollution  prevention  management  [25]. 


®  The  EEZ,  defined  by  UNCLOS,  defines  management  and  ownership  of  resources  out  to  200  miles  from  the 
shoreline: 
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2.4  Domestic  Regulation 


The  pattern  of  domestic  regulation  addressing  oil  pollution  parallels  that  of  the 
international  community  but  it  is  often  not  in  union.  With  concerns  of  oil  pollution  at  the  turn 
of  the  century,  in  1926,  the  U.S.  legislated  the  Pollution  of  the  Sea  by  Oil  Act  [62], 

At  the  time  of  the  Torrey  Canyon  spill,  the  Limitation  of  Vessel  Owner’s  Liability  Act 
of  1851  (1851  Act)  was  still  in  force  in  the  U.S..  The  1851  Act  was  intended  to  promote 
commerce  and  shipping  by  limiting  a  shipowner’s  potential  liability.  The  185 1  act  limited  the 
liability  of  an  owner  to  the  value  of  the  vessel  after  the  incident  plus  any  money  the  vessel 
owner  had  earned  during  the  voyage  in  with  the  incident  occurred.  In  the  case  of  the  Torrey 
Canyon,  (which  had  claims  of  $153  million  in  1992  dollars),  liability  in  the  U.S.  was  limited 
to  $50  --  the  value  of  the  remaining  lifeboat  [64]. 

Since  the  Torrey  Canyon  spill,  the  U.S.  Congress  has  made  efforts  to  ensure  equitable 
liability.  The  Congress  never  adopted  the  1969  and  1971  liability  conventions,  and  instead 
chose  to  take  a  unilateral  step  toward  a  resolution  of  financial  responsibility  by  enacting  the 
Federal  Water  Pollution  Control  Act  (FWPCA). 

The  FWPCA  superseded  the  1851  Act,  with  respect  to  pollution,  by  establishing 
liability  limits  and  requiring  COFR’s  to  assure  clean-up  compensation.  In  this  unilateral 
action,  the  U.S.  became  the  first  country  to  require  COFR’s.  The  COFR’s  were  required 
four  years  before  the  1969  CLC  entered  into  force. 

After  FWPCA,  Congress  took  a  fragmented  approach  by  enacting  a  series  of  directed 
legislation.  Each  act  mandating  larger  and  more  comprehensive  financial  responsibility  for 
vessels  involved  in  the  respective  act’s  coverage; 

1 .  Trans-Alaska  Pipeline  Authorization  Act  of  1973 . 

2.  Deepwater  Port  Act  of  1974. 

3.  Outer  Continental  Shelf  Lands  Act  Amendments  of  1978. 

4.  Comprehensive  Environmental  Response,  Compensation,  and  Liability  Act 

of  1980. 
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The  U.S.  did  depart  from  its  unilateral  action  by  implementing  MARPOL  73/78  as  the 
Act  to  Prevent  Pollution  from  Ships  in  1980.  But  when  the  Exxon  Valdez  ran  aground  1989, 
Congress  took  swift  and  unilateral  action  to  modernize  the  liability  laws,  rejecting  the 
international  approach. 

When  the  Exxon  Valdez  spilled  40,000  tons  of  oil,  there  was  an  incredible  public 
reaction.  It  was  the  Exxon  Valdez  spill  that  coalesced  American  public  opinion  about  the 
need  for  immediate  protection  of  the  environment  from  oil  tankers  [60].  The  subsequent 
congressional  debate  and  legislation  resulted  in  the  Oil  Pollution  Act  of  1990  (OP A  90). 

The  unilateral  action  of  OPA  90  is  far-reaching,  and  it  has  been  described  as  “one  of 
the  most  comprehensive  protectionist  laws  we  have  ever  seen”  [61].  A  large  number  of 
vessels  doing  business  in  the  U.S.  are  foreign  flagged.  By  imposing  strict  liability,  allowing 
states  to  impose  unlimited  liability,  rasing  the  amount  of  required  financial  responsibility,  and 
imposing  double  hull  technology,  it  is  probably  the  most  broad-reaching  piece  of 
environmental  legislation  ever  to  be  signed  into  law  in  the  United  States  and  in  the  world 
[60]. 

OPA  90  was  intended  to  address  oil  spills  with  stronger  measures  in  terms  of  preven¬ 
tion,  response,  and  liability.  And  while  those  topics  won  broad  support  throughout  the  ne¬ 
gotiations,  it  is  the  method  of  implementation  that  has  generated  the  criticisms  of  OPA  90. 


2.5  Summary 

Once  oil  enters  the  ocean,  it  is  acted  upon  by  a  wide  variety  of  processes.  The  short 
term  effects  of  a  spill  can  be  extremely  harmful  to  the  environment.  The  long  term  effects  of 
oil,  and  its  myriad  constituents  are  still  unknown.  Clearly,  some  areas  are  more  susceptible 
than  others-low  energy  coastal  environments  appear  to  be  particularly  vulnerable  [17].  Ex¬ 
perience  seems  to  indicate  that  recovery  times  are  about  10  to  20  years.  Regardless  of  the 
impact,  it  is  a  preventable  man-made  perturbation  of  the  environment  which  stresses  the  eco¬ 
system  unnecessarily. 
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After  the  Alaskan  pipeline  was  completed,  there  were  over  8,700  tanker  transits  of 
Prince  William  Sound  without  incident  [13],  Complacency  on  behalf  of  all  the  parties  in¬ 
volved,  including  the  public,  contributed  to  iSne  Exxon  Valdez  disaster.  To  prevent  spills, 
complacency  must  be  prevented.  To  prevent  complacency,  one  must  continually  remember 
that  major  spills  will  happen,  and  when  they  do,  they  cannot  be  controlled. 

Knowing  that  spills  are  inevitable,  there  must  be  a  concerted  effort  to  minimize  those 
spills.  International  and  domestic  regulatory  bodies,  in  conjunction  with  oil  companies  and 
tanker  owners,  have  made  significant  strides  to  minimize  the  amount  of  oil  pollution  from 
tankers.  But  the  progress  gained  has  been  typically  reactive.  To  minimize  oil  pollution,  all 
parties  must  thoroughly  understand  all  of  the  elements  of  prevention. 
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Chapter  3  Regulatory  Considerations 


3.1  The  Importance  of  Prevention 

The  economic  burden  of  regulation  assumes  to  yield  a  safety  benefit.  When  charter 
rates  go  down,  operating  margins  suffer,  and  expense  reduction  becomes  critical  to  the  ship 
owners.  As  a  result,  maintenance  is  deferred,  planning  is  short-sighted,  and  owners  assume 
more  risk  to  stay  afloat  [22].  Ultimately,  safety  suflFers  and  the  risk  of  an  accident  and  subse¬ 
quent  undesirable  consequences  to  the  crew,  ship,  and  environment  increases. 

The  primary  motivation  to  prevent  tanker  accidents,  is  to  minimize  oil  outflow  to  the 
environment.  Of  course,  efforts  to  prevent  oil  spills,  benefit  crew  and  ship  safety.  It  is  as¬ 
sumed  that  the  goal  of  safe  transportation  is  zero  oil  outflow.  With  this  in  mind,  Figure  3-1 
[51]  defines  a  pyramid  of  safety  for  oil  transport  at  sea.  The  apex  represents  mitigative 
measures.  The  middle  of  the  pyramid  represents  measures  that  minimize  pollution  after  an 
accident  occurs.  The  base  of  the  pyramid  represents  those  measures  that  can  prevent  acci¬ 
dents  from  happening  in  the  first  place. 

“Accidents  are  actions,  or  inactions,  that  result  in  unanticipated  and  undesirable  com¬ 
promises  in  quality  and  safety”  [43].  There  needs  to  be  more  focus  on  improving  quality  and 
safety  in  the  petroleum  transportation  industry  and  prevention  needs  to  be  the  primary  con¬ 
cern.  While  prevention  is  complex  and  difficult  to  measure,  efficacy  can  only  be  determined 
when  there  is  an  understanding  of  all  the  variables  that  create  accidents.  The  focus  is  the  re¬ 
sponsibility  of  naval  architects,  ship  owners,  operators  and  regulators. 
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Figure  3-1:  Pyramid  of  Safety  for  Transport  of  Oil  at  Sea 


3.2  Technology  and  the  Efficient  Frontier 

Technological  change  is  regarded  as  essential  to  advances  in  pollution  reduction  [1], 
Technology  can  be  defined  as  the  body  of  tools,  machines,  materials,  techniques  and  proc¬ 
esses  used  to  produce  goods  and  services  and  satisfy  human  needs.’  For  an  industry  to 
change  its  technology  it  must  have  willingness,  capacity,  and  opportunity.  While  attitudes 
affect  willingness,  and  knowledge  affects  capacity,  the  regulatory  framework  often  provides 
the  opportunity  [1].  But  measuring  opportunity  must  not  be  limited  to  existing  technology, 

’  Thomdike-Bamhart  Dictionary,  Scott  Foresman  and  Co.,  1967. 
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since  this  does  not  present  the  true  risk-reducing  potential  provided  by  technological  innova¬ 
tion. 

Consider  Figure  3-2,  a  plot  of  the  costs  per  unit  of  risk  reduction  facing  the  pro¬ 
ducer/operator.  The  curves  represent  the  marginal  costs  for  the  reduction  of  risk  using  the 
spectrum  of  available  technologies.  The  curve  for  the  optimum  technology  available  repre¬ 
sents  the  lowest  cost  approach  to  achieving  risk  reduction.  This  curve  is  the  efficient  frontier 
that  should  form  the  basis  for  risk  reduction  regulation.. 

While  Figure  3-2  shows  how  the  eflScient  frontier  compares  to  other  technology,  it 
lacks  vision  in  terms  of  future  innovation.  To  consider  the  possibilities  of  technological  ad¬ 
vances,  a  more  dynamic  approach  must  be  taken. 


Cost/Risk 


Figure  3-2:  The  Efficient  Frontier  for  Risk  Reduction  Compliance 
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3.3  The  Role  of  Future  Technology 

Continuing  with  a  more  dynamic  economic  approach,  refer  to  Figure  3-3.  Let  the 
pre-regulatory  level  of  risk  be  represented  by  RO.  Societal  demand  for  risk  reduction  requires 
regulations  to  impose  a  maximum  allowable  risk  that  is  significantly  lower.  Suppose  that 
public  demand  requires  that  regulation  impose  a  reduction  in  risk  from  RO  to  Rl.  The  best 
existing  technology  imposes  a  cost  represented  by  point  B.  If  it  were  possible  to  stimulate 
innovation,  a  new  curve  might  be  generated  which  could  allow  the  same  degree  of  risk  re¬ 
duction  at  a  lower  cost:  the  difference  between  points  B  and  C.  On  the  other  hand,  for  the 
same  cost,  a  lower  risk  is  achievable  (point  D). 


Cost/Risk 


Figure  3-3:  Innovative  Response  to  Regulation 


Mandating  double-hulls,  as  a  passive  oil  outflow  prevention  measure,  imposes  a  tech¬ 
nology-based  standard  on  the  industry.  While  mandating  double  hulls  will  minimize  oil  pol- 
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lution  for  some  groundings  and  collisions,  it  may  not  be  the  optimum  technology,  and  it  im¬ 
pedes  innovation  of  other  technologies  which  may  be  more  effective. 


3.4  Technology  Based  Strategy 

There  needs  to  be  a  regulatory  structure  which  effectively  addresses  pollution  pre¬ 
vention  and  mitigation  while  minimizing  any  unnecessary  economic  burdens  and  innovation 
impediments.  Therefore,  a  broader  technology-based  strategy  rather  than  a  technology  based 
standard  must  be  implemented.  A  technology-based  strategy  focuses  on  expanding  the  tech¬ 
nological  options  for  reducing  or  eliminating  the  risks  associated  with  transporting  oil  at  sea 
[1].  It  also  encourages  safety  development  rather  than  restricting  safety  to  a  set  of  boundary 
conditions  imposed  by  a  mandated  technology. 

Once  the  components  with  the  greatest  risk-reducing  potential  are  identified,  they  can 
be  addressed  through  one  or  all  of  the  following; 

1.  An  appropriate  combination  of  efiScient  engineering  systems  and  equip¬ 
ment. 

2.  Efficient  management  systems  and  procedures. 

3.  A  practical  understanding  of  people  and  other  human  factors. 

3.4  The  Role  of  Risk  Assessment 

Traditionally,  formal  risk  analysis  is  divided  into  two  parts  [24]: 

1.  risk  assessment:  which  seeks  to  identify  hazards  and  calculate  their  ex¬ 
pected  adverse  effects. 

2.  risk  management:  which  seeks  to  structure  decision-making  on  the  accept¬ 
ability  of  risks  and  on  the  measures  society  might  employ  against  unacceptable 
risks. 

Society  demands  that  risk  not  exceed  a  certain  level  based  upon  cost  per  unit  risk  and  the 
consequences.  The  integrated  systems  approach  to  risk  assessment  and  risk  management 
should  be  undertaken  to  determine  and  manage  tanker  industry  risks.  Once  high  risk  compo- 
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nents  are  identified,  they  can  be  prioritized  not  only  by  their  risk,  by  their  potential  for  risk 
reduction.  Regulators  can  then  systematically  influence  risk  levels  to  society’s  demand  with¬ 
out  compromising  their  regulatory  responsibility  and  minimizing  the  regulatory  burden  placed 
upon  the  ship  owners. 
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Chapter  4  Probabilistic  Risk  Assessment 


4.1  The  Process 

A  probabilistic  risk  assessment  (PRA)  provides  a  formal  process  of  determining  the 
full  range  of  possible  adverse  occurrences,  and  values  to  be  assigned  to  their  probabilities  and 
expected  costs,  for  any  undesirable  event.  There  are  numerous  undesirable  events  that  can  be 
characterized  in  the  maritime  industry.  As  Table  1-1  shows,  the  majority  of  oil  pollution  from 
the  maritime  industry  is  from  oil  tankers.  Although  tanker  accidents  may  only  represent  12 
percent  of  the  annual  oil  pollution  to  the  marine  environment,  compared  to  21  percent  due  to 
operational  oil  pollution  [47],  operational  pollution  is  better  understood,  more  deterministic, 
and  is  actively  being  reduced.  A  more  recent  estimate  of  oil  discharged  into  the  marine  envi¬ 
ronment  from  tanker  operations  suggests  that  a  78  percent  decrease  from  the  1985  estimate 
in  Table  1-1  [27]. 

There  are  numerous  accidents  that  receive  inadequate  investigation,  and  an  unknown 
number  of  accidents  that  are  not  reported  [30].  Statistically,  for  every  maritime  accident, 
there  are  400  near  misses  [6].  While  serious  accidents  typically  evoke  intense  public  scrutiny 
and  contribute  valuable  insight  into  causality,  the  tendency  is  to  elicit  a  reactive  and  sympto¬ 
matic  response.  The  results  too  often  address  the  worst-case  scenario,  and  ignore  the  most- 
likely  incident  [32].  Hence,  there  is  a  fundamental  lack  of  understanding  as  to  how  and  why 
accidents  occur  and  this  PRA  will  focus  on  accidents. 

To  undertake  a  complete  PRA,  tasks  must  be  defined  so  that  the  process  proceeds 
systematically.  Rasmussen  defined  the  essential  tasks  of  a  PRA  in  his  safety  study  of  the  nu- 
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clear  power  industry  [66],  Modifying  Rasmussen’s  approach,  the  required  tasks  necessary  to 
perform  an  assessment  of  the  oil  tanker  industry  are  as  follows  [55]: 


BASIC  TASKS 


Figure  4-1:  Basic  Tasks 


Task  1: 

Task  2: 

Task  3: 

Task  4: 
weather 

Task  5: 

Task  6: 
fied. 


Identifies  the  combination  of  system  failures  which  can  lead  to  an  accident. 

Determines  the  probability  of  each  failure. 

Yields  the  probability  distribution  of  oil  outflow  for  each  failure. 

Determines  the  transport  and  fate  of  the  released  oil  for  the  prevailing 
conditions. 

Assesses  the  economic  and  environmental  effects. 

Provides  an  overall  risk  assessment  for  each  of  the  failure  sequences  identi- 


4.2  Baye’s  Theorem 


The  outcome  of  this  PRA  is  the  economic  and  environmental  impact  of  an  oil  spill. 
Given  the  series  of  tasks  outlined  to  perform  a  PRA,  it  is  conceptually  easier  to  break  the 
tasking  into  a  set  of  functional  levels.  The  occurrence  of  an  oil  spill  is  dependent  upon  a 
number  of  events.  Probabilities  of  dependent  events  can  be  evaluated  using  Baye’s  theorem: 
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For  two  events  A  and  B, 

P(A)  =  the  probability  of  event  A. 

P(B)  =  the  probability  of  event  B. 

P(A/B)  =  the  probability  of  event  A  given  the  occurrence  of  event  B. 
P(B/A)  =  the  probability  of  event  B  given  the  occurrence  of  event  A. 
P(AB)  =  the  probability  of  event  A  and  B. 

Utilizing  set  theory,  P(AB)  is  the  intersection  of  the  two  events: 


P(B/A)  is  concerned  with  the  darkened  part  of  Figure  5  and  is  the  ratio  of  the  area 
(AB)  to  the  total  area  A,  that  is: 


P(B/A)  =  P(AB)  (1) 

P(A) 


By  symmetry  it  may  be  shown  that: 


P(A/B)  =  P(AB)  (2) 

P(B) 


Solving  for  P(AB): 


P(AB)  =  P(A)P(B/A)  =  P(B)P(A/B)  (3) 


Figure  4-2:  Venn  Diagram 
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4.3  Risk  Model 


Utilizing  the  above  concepts  to  develop  a  risk  model,  the  tasks  are  broken  into  three 

levels. 


Level  1:  Develop  a  probability  of  damage  and  the  extent  to  the  ship  as  the  it  re¬ 
sponds  to  an  initiating  event:  P(damage  extent). 

Level  2:  Given  that  an  extent  of  damage  has  occurred,  what  is  the  probability  that  oil 
will  outflow  to  the  environment:  P(outflow|damage  extent). 

Level  3:  Given  that  oil  is  released  to  the  environment,  what  is  the  probability  of  im¬ 
pact  to  the  environment:  P(impact|outf1ow). 


Figure  4-3:  Risk  Model 


Ultimately,  the  probability  of  oil  pollution  producing  adverse  economic  and  environ¬ 


mental  consequences  can  be  evaluated: 


P(impact)  =  P(dainage  extent)  x  P(outflow|daniage  extent)  x  P(inipact|outflow)  (4) 
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4.4  Fault  Trees 


Complex  systems  that  have  multiple  failure  modes  with  physical  and  operational  inter¬ 
actions  lend  themselves  to  fault  tree  analysis,  especially  if  the  role  of  humans  in  the  operation 
needs  to  be  modeled  [39].  Fault  tree  analysis  was  developed  for  the  aerospace  industry  for 
system  safety  analysis.  It  was  later  extensively  used  in  PRA’s  for  the  nuclear  power  industry 
[19]. 

A  fault  tree  is  a  graphical  display  to  show  how  the  basic  component  failures  can  lead 
to  a  pre-determined  system  failure  state.  In  constructing  a  fault  tree,  one  starts  with  a  par¬ 
ticular  fmlure  or  undesired  event  and  deductively  works  backwards  to  explore  all  the  combi¬ 
nations  of  events  that  may  lead  to  that  particular  failure.  The  fundamental  building  blocks  of 
the  fault  tree  are  the  AND  gate  and  the  OR  gate  (Figure  4-4). 


C=A*B  I 

AND-gate 
C  =  A  AND  B 

Output  occurs  if  and  only  if  all  input  events  occur 


AND 


OR-gate 
C  =  A  OR  B 

Output  occurs  if  one  or  more  input  events  occur 


Figure  4-4:  AND  and  OR  Gates 
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The  reasoning  used  to  build  a  fault  tree  for  a  system  requires  an  understanding  of  the 
system  and  it's  intended  use.  At  each  reduction  stage  of  the  fault  tree,  the  general  causes  for 
the  undesirable  top  event  must  be  determined  in  as  broad  of  terms  as  possible.  By  being  as 
general  as  possible  at  each  reduction  stage,  it  is  more  likely  that  all  possible  combinations  of 
events  may  be  taken  into  account.  “Elegant  simplicity  instead  of  unnecessary  complexity  is  to 
be  encouraged”  [5]. 

Once  the  system  is  depicted  in  a  logic  diagram,  the  minimum  cut  sets  can  be  deter¬ 
mined.  A  minimum  cut  set  is  defined  as  a  set  of  system  components  such  that  if  all  the  com¬ 
ponents  fail,  system  failure  results,  but  if  any  one  component  has  not  failed,  no  system  failure 
results  [54].  When  the  minimum  cut  sets  are  identified,  the  appropriate  probabilities  can  be 
assigned  and  the  probability  of  the  top  event  can  be  calculated. 


4.5  Event  Trees 

Event  trees  represent  the  complete  event  space,  consisting  of  the  events  that  are  pos¬ 
sible  in  a  system  [54].  Event  trees  are  usually  developed  in  binary  format  where  the  events 
are  assume  to  either  fail  or  succeed.  A  sequence  of  events  are  then  analyzed  to  determine 
how  failure  might  occur.  Although  deductive  in  principle,  the  construction  of  an  event  tree 
requires  a  good  deal  of  inductive  reasoning  by  the  analyst  [39], 
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EVENT A 


EVENTS 


Figure  4-5:  Event  Tree 


Event  trees  are  constructed  from  initiating  events,  subsequent  events  either  fail  or 
succeed  until  all  of  the  events  in  the  event  space  occur.  The  logical  representation  of  each 
event  is  obtained  and  then  reduced  through  the  use  of  Boolean  algebra. 

4.6  Summary 

The  risks  involved  the  tanker  industry  need  to  be  better  understood.  There  needs  to 
be  a  systematic  approach  to  understand,  identify,  and  minimize  the  risks.  Once  the  risks  are 
understood,  and  consideration  is  made  of  all  the  issues,  the  components  of  the  system,  and 
their  synergism,  the  proper  framework  can  be  developed  which  addresses  a  wholesale  solu¬ 
tion  rather  than  discrete  problems. 

The  basic  tasks  required  to  undertake  a  systematic  assessment  have  been  outlined. 
The  proposed  risk  model  outlines  three  levels  of  assessment  that  will  lead  to  the  probability 
of  oil  pollution  producing  an  impact  upon  the  environment.  The  approach  has  matured  in  the 
nuclear  industry.  Many  of  the  issues  undertaken  in  the  nuclear  industry  are  germane  to  ships. 
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Chapter  5  Human  Failure  and  Accidents 

5.1  The  Prevalent  Factor 

Human  error  is  a  common  feature  of  everyday  life.  Errors  occur  for  many  different 
reasons,  and  usually  involve  a  complex  interaction  of  many  different  factors.  Human  errors 
have  been  shown  to  underlie  the  failures  of  many  engineered  systems.  Human  error  can  ei¬ 
ther  be  an  immediate  accident  initiator,  or  it  can  play  a  dominant  role  in  the  progress  of  un¬ 
desired  events  [39].  In  almost  all  cases,  the  initiating  event  of  a  high  consequence  accident  is 
traced  to  a  catastrophic  compounding  of  human  errors  [5]. 

The  pervasiveness  of  human  error  in  the  maritime  industry  has  been  known  for  a 
number  of  years.  For  example,  in  1972,  the  chairman  of  the  American  Hull  Insurance  Syndi¬ 
cate  revealed  that  85  percent  of  the  Syndicate’s  claims  payments  were  for  human-error 
casualties  [45].  In  1976,  the  National  Research  Council  (NRC)  attributed  80  percent  of  ves¬ 
sel  collisions,  rammings  and  groundings  to  human  error  [45].  As  ships  have  become  larger, 
the  tolerance  for  human  error  has  decreased,  while  the  consequences  have  increased  im¬ 
mensely.  Still,  as  a  whole,  little  has  been  done  to  effectively  address  the  issue  of  human  error. 
More  recently,  in  1993,  the  UK  P&I  Club  reported  that  62  percent  of  the  major  claims  asso¬ 
ciated  with  commercial  shipping  were  a  result  of  human  error  [33].  The  large  number  of  in¬ 
cidents  attributable  to  human  error  is  not  just  constrained  to  the  commercial  arena.  A  report 
by  the  U.S.  Naval  Safety  Center  found  that  human  error  caused  70  to  85  percent  of  mishaps 
involving  U.S.  naval  vessels  from  1989  to  1993  [36]. 


35 


It  would  seem  that  the  high  percentage  of  accidents  attributed  to  human  error  have 
become  accepted  as  a  norm  of  the  maritime  industry.  Jerry  Aspland,  retired  president  of 
Arco  Marine  states  [2]: 

Twenty-five  years  ago,  I  heard  the  quote,  “85  percent  of  all  maritime  accidents  are 
caused  by  human  error.”  One  month  ago,  I  heard  the  quote  “85  percent  of  all 
maritime  accidents  are  caused  by  human  error.” 

Is  this  coincidence  or  the  result  of  the  marine  community’s  &ilure  to  ad¬ 
dress  a  most  complex  system;  human  behavior? 

Arco  Marines’s  study  of  human  behavior  determined  that  alertness  has  the  primary  impact  on 
human  error.  This  is  exactly  what  the  NRC  [45]  determined  in  1976.  The  implication  is  that 
the  alertness  issue  has  been  known  for  nearly  20  years,  yet  nothing  has  been  done  to  properly 
correct  it. 

While  studies  of  human  factors  in  maritime  safety  have  addressed  a  myriad  of  sub¬ 
jects,  few  of  the  studies  have  linked  their  conclusions  to  the  ship  accident  experience  [18]. 
For  example,  the  conclusions  of  the  NRC’s  1976  study  were  broad  and  multi-faceted  [18]. 
Table  5-1  presents  the  panel’s  conclusions. 


Table  5-1:  Factors  Contributing  to  Marine  Casualties 


Inattention 

Poor  eyesight 

Inadequate  lights  and  markers 

The  ambiguous  Master-Pilot  relation¬ 
ship 

Excessive  fatigue 

Misuse  of  radar 

Excessive  alcohol  use 

Uncertain  use  of  sound  signals 

Poor  operation  procedures 

Excessive  personnel  turnover 

Inadequacies  of  the  rules  of  the 
road 

Poor  physical  fitness 

High  calculated  risk  accep¬ 
tance 

The  study  offered  some  insight  to  the  causes  of  human  error,  but  failed  to  recommend 
effective  actions  that  the  industry  could  implement.  Gardenier  comments  on  such  studies 
[18]; 


Recommendations  that  result  from  such  studies  cover  everything  from  requiring 
expensive  new  equipment  to  changes  in  nearly  every  aspect  of  law,  regulation, 
staffing,  training,  design,  and  operation  of  ships.  Generally,  none  of  these  recom¬ 
mendations  is  suitably  evaluated  for  range  of  applicability,  expected  benefit,  social 
and  economic  cost,  and  locus  or  form  of  implementation.  Many  of  the  recom¬ 
mended  actions  have  much  less  value  upon  close  stu^  than  at  first  glance. 
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5.2  Human  Failure 


What  has  typically  been  called  human  error,  really  encompasses  more  than  just  the  act 
of  an  individual.  Human  error,  as  it  is  typically  used  in  attributing  accidents,  should  be  bro¬ 
ken  down  into  two  sets: 

1.  Human  Failure. 

2.  Individual  Errors. 

The  over-use  of  the  term  “human  error”  seems  to  lead  to  an  apathetic  perspective. 

Dougherty  [15]  suggests  that  the  term  “error”  is  unwarranted  in  many  high-risk  accidents  and 
it  can  lead  to  the  mis-allocation  of  resources  and  an  inability  to  avoid  future  accidents.  Even 
though  some  failures  are  attributable  to  people,  and  it  is  common  to  call  all  such  failures  hu¬ 
man  errors,  it  is  the  design  of  the  system  itself  that  is  prone  to  error.  In  fact,  individual  errors 
may  not  even  comprise  half  of  all  the  human  failures  [15].  Figure  5-1,  adapted  from 
Dougherty  and  Fragola  [15],  presents  the  context  of  human  failures  and  errors. 


Figure  5-1:  Context  of  Human  Failures  and  Individual  Errors 
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An  accident  is  an  event  or  occurrence  that  has  negative  result,  effects,  or  conse¬ 
quences.  Accidents  can  be  induced  by  factors  internal  and  external  to  the  system.  External 
factors  would  include  natural  disasters  or  other  contributions  outside  of  the  system.  A  sys¬ 
tem  failure  is  an  event  or  occurrence  that  has  negative  consequences  upon  the  system’s  func¬ 
tioning  [15].  Human  failure  is  a  system  failure  that  can  be  proximally  attributed  to  the  actions 
or  inaction  of  one  or  more  people  [15].  Individual  errors  are  also  system  failures,  but  their 
root  cause  can  be  attributed  to  a  single  person.  There  can  be  individual  errors  that  have  no 
significant  consequences  and  are  not  a  part  of  an  accident’s  causal  chain  [15]. 

Perrow  states  that,  “In  an  error-inducing  system,  the  tendency  to  attribute  blame  to 
operator  error  is  particularly  prominent”  [53].  Perrow  is  suspicious  of  the  80  percent  human 
error  attribution  in  marine  systems.  He  suggests  the  following  [53]: 

1 .  40  percent  unforced  operator  error:  component  failures  where  the  opera¬ 
tor  is  the  component  that  failed. 

2.  5  to  10  percent  system  accidents:  a  system  accident  is  an  integral  charac¬ 
teristic  of  the  system,  the  interactive  complexity  and  tight  coupling  of  the 
maritime  system  inevitably  will  produce  an  accident. 

3.  30  to  35  percent  forced  operator  error:  errors  resulting  from  a  complex 
and  tightly  coupled  system  which  requires  long  hours,  has  misplaced  priorities, 
and  skewed  incentives. 

53  Failure  Classification 

Human  failure  should  be  categorized  to  show  the  impact  of  all  the  factors  contributing 
to,  and  the  motivation  of,  those  individual  actions  which  result  in  an  accident. 

Human  failures  can  manifest  themselves  as  follows  [26]: 

1 .  Active:  failures  resulting  from  almost  instantly  observable  effects. 

2.  Latent:  failures  not  immediately  noticeable. 

Active  failures,  usually  associated  with  direct  and  responsive  operations,  are  recognized  im¬ 
mediately.  Latent  failures  result  in  adverse  consequences  that  may  lay  dormant  within  the 
system  for  a  long  time,  only  becoming  evident  when  they  combine  with  other  factors  [57]. 
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There  are  numerous  schemes  to  characterize  and  classify  human  failures  and  its  cau¬ 
sality.  Human  failure  may  occur  in  any  phase  of  the  design,  construction  and  operation  of  a 
complex  system  [39],  Unsatisfactory  performance  can  be  the  result  of  improper  design  and 
construction  of  the  system.  Of  the  three  phases,  design,  construction,  and  operations,  the 
majority  of  compromises  occur  during  the  operating  phase  and  can  be  attributed  to  errors 
developed  by  operating  personnel  [3].  Constraining  the  study  to  the  operations  phase,  a 
useful  breakdown  of  high  consequence  accidents  is  shown  in  Figure  5-2. 

Accidents  are  distinguished  between  environmental  and  human  factors.  Accidents 
due  to  environmental  factors  are  those  unavoidable  environmental  events  that  exceed  the  rea¬ 
sonable  demands  of  the  structure  during  its  lifetime  [3].  Accidents  resulting  from  human  er¬ 
ror  can  be  differentiated  into  those  caused  by  design,  construction,  and  operations.  Focusing 
on  operations,  the  elements  of  human  failure  are  influenced  by  the  synergistic  effects  of 

1.  Individuals. 

2.  Hardware. 

3.  Organizations. 

4.  Environment. 

5.  Procedures. 

The  amount  of  interdependence  reflects  the  amount  of  coupling  with  in  the  system.  In  a 
tightly  coupled  system,  each  area  can  not  be  addressed  in  isolation. 
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Figure  5-2:  Classification  of  Human  Failure 

While  the  importance  of  human  failure  has  been  known,  little  has  been  done  to  effec¬ 
tively  address  it.  Unfortunately,  there  are  several  technical  problems  in  trying  to  assess  the 
reliability  of  humans  in  a  risk  setting,  as  human  risk  assessment  is  a  relatively  new  discipline 
[15].  Rather  than  properly  address  human  failure,  the  industry  has  focused  on  technological 
and  structural  fixes  to  address  accident  prevention. 

There  is  a  tendency  towards  the  ideology  that  only  technology  is  allowed  to  promise 
progress,  that  replacing  technological  products  with  manual  operators  is  a  step  backwards 
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[20],  But  technology  can  increase  human  risk  and  the  susceptibility  for  human  failure  by  in¬ 
creasing  the  complexity  and  creating  a  more  tightly  coupled  system.  Even  though  major 
technological  advances  have  occurred  and  been  implemented,  the  attribution  of  human  failure 
has  remained  relatively  constant  over  the  past  20  years.  Many  accidents  are  induced  by  fail¬ 
ures  of  technological  systems,  which  seem  to  arise  from  the  complexity  of  the  systems  them¬ 
selves  [53]. 


5.4  Individual  Errors 

There  have  been  a  number  of  studies  undertaken  to  classify  individual  errors  and  error 
factors.  In  1976,  the  Panel  on  Human  Error  in  Merchant  Marine  Safety  defined  13  types  of 
individual  errors  into  which  all  potentially  harmful  individual  behavior  was  grouped  (Table  5- 
2)  [45]. 

Table  5-2:  Categories  of  Individual  Errors 


Panic  or  Shock 

Inattention 

Negative  Transfer  of  Training 

Sickness 

Incompetence 

Negligence 

Drunkenness  or  Drug  Influence 

Anxiety 

Ignorance 

Confusion 

Fatigue  or  Drowsiness 

Calculated  Risk 

Fear 

Based  on  a  study  of  unanticipated  compromises  of  acceptable  quality  involving  ma¬ 
rine  structures  resulted  in  a  list  of  individual  error  factors  summarized  in  Table  5-3  [5].  Both 
studies  reflect  approximately  the  same  factors  which  influence  individual  error. 

Table  5-3:  Individual  Error  Factors 


Fatigue 

Wishful  Thinking 

Bad  Judgment 

Negligence 

Mischief 

Carelessness 

Ignorance/Panic 

LazinessA^iolations 

Physical  Limitations 

Greed 

Drugs 

Boredom 

Folly/Ego 

Inadequate  Communication 

Inadequate  Training 
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Sometimes  causality  is  difficult  to  determine.  For  example,  a  great  number  of  colli- 
sions-at-sea  occur  between  ships  that  are  not  on  a  collision  course  until  one  or  both  ships 
change  course  after  becoming  aware  of  each  other  in  such  a  way  as  to  effect  a  collision  [53]. 
Part  of  the  explanation  is  the  way  human's  process  information.  People  tend  to  construct  an 
expected  world  because  the  real  world  is  too  complex,  then  the  available  information  is  proc¬ 
essed  to  fit  the  expected  [53]. 

The  act  of  navigating  and  piloting  a  ship  is  information  processing.  The  construction 
of,  and  reaction  to,  an  expected  situation  challenges  the  easy  explanations  for  human  error 
such  as  stupidity,  inattention,  risk  taking,  and  inexperience. 

The  construction  of  an  expected  situation  occurs  from  the  way  people  process  infor¬ 
mation.  Humans  inherently  introduce  biases  in  the  way  they  seek  information,  estimate  prob¬ 
abilities,  and  attach  values  to  outcomes.  It  is  because  of  these  biases  that  decisions  based 
upon  even  the  best  of  information  can  be  flawed.  The  following  is  a  short  list  of  some  of 
these  biases  [59]; 

1.  People  give  an  undue  amount  of  weight  to  early  evidence  or  information.  Sub¬ 
sequent  information  is  considered  less  important. 

2.  Humans  are  generally  conservative  and  do  not  extract  as  much  information 
from  sources  as  they  optimally  should. 

3.  The  subjective  odds  in  favor  of  one  alternative  or  the  other  are  not  assessed  to 
be  as  extreme  or  given  as  much  confidence  as  optimally  they  should. 

4.  As  more  information  is  gathered,  people  become  more  confident  in  their  deci¬ 
sions,  but  not  necessarily  more  accurate. 

5.  Humans  have  a  tendency  to  seek  far  more  information  than  they  can  absoib 
adequately. 

6.  People  often  treat  all  information  as  if  it  were  equally  reliable,  even  though  it  is 
not. 

7.  Humans  appear  to  have  a  limited  ability  to  entertain  a  maximum  of  more  than  a 
few  hypotheses  at  a  time. 

8.  People  tend  to  focus  on  only  a  few  critical  attributes  at  a  time  and  consider  only 
about  two  to  four  possible  choices  that  are  ranked  highest  on  those  few  critical  at¬ 
tributes. 

9.  People  tend  to  seek  information  that  confirms  the  chosen  course  of  action  and  to 
avoid  information  or  tests  whose  outcome  could  disconfirm  the  choice. 
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10.  A  potential  loss  is  viewed  as  having  greater  consequence  and  therefore  exerts  a 
greater  influence  over  decision-making  behavior  than  does  a  gain  of  the  same 
amount. 

11.  People  believe  that  mildly  positive  outcomes  are  more  likely  than  mildly  nega¬ 
tive  outcomes,  but  that  highly  positive  outcomes  are  less  likely  than  mildly  positive 
outcomes. 

12.  People  tend  to  believe  that  highly  negative  outcomes  are  less  likely  than  mildly 
negative  outcomes. 

Computers  and  other  technology  can  aid  in  the  decision  process  by  aggregating  the  available 
information  and  processing  for  the  best  outcome.  Fundamentally,  an  understanding  of  human 
information  processing  is  essential  to  further  develop  ship  systems. 


5.6  Hardware 

Systems  of  inadequate  design  exacerbate  human  failure.  The  hardware  portion  of  a 
system  is  a  collection  of  equipment  that  has  specific,  intended  functions,  and  interacts  among 
its  pieces  and  with  the  people  and  software  that  operate  the  system  [15].  While  technology  is 
increasing  equipment  reliability,  some  believe  that  it  is  reducing  the  human  reliability  of  its 
operation  [26].  Engineers  are  often  wont  to  incorporate  new  technology,  but  these  new 
technologies  tend  to  compound  latent  system  flaws  [5].  These  latent  flaws  can  be  manifested 
in  a  complex  design,  close  coupling  (failure  of  one  component  leads  to  failure  of  other  com¬ 
ponents),  difficult  maintenance,  and  severe  performance  demands. 

Technology  must  also  balance  its  ability  to  liberate  human  functions  with  the  inevita¬ 
bility  of  human  boredom  when  operators  shift  from  doing  to  monitoring.  Technological  de¬ 
velopments  incorporating  automated  systems  change  the  role  of  the  operator  from  an  active 
to  a  passive  participant.  The  longer  the  individual  is  removed  as  an  active  participant,  the  less 
likely  the  person  will  have  a  clear  understanding  of  the  inner  workings  of  the  system  should  a 
crisis  occur  [43]. 
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5.5  Procedures 


A  taxonomic  system  relating  skill,  knowledge  and  rule-based  actions  to  an  operational 
task  is  shown  in  Figure  5-2  [15], 

The  taxonomy  shows  the  role  of  procedures  in  terms  of  a  rule-based  action  and  diag¬ 
nosis  based  on  the  complexity  of  task  to  be  completed.  If  diagnosis  or  decision  making  is 
needed  but  no  rules  are  available  to  assist  the  actmty,  then  action  must  be  based  on  a  deep 
fundamental  knowledge  [15],  Skills  include  pattern  recognition  and  actions  that  are  manual, 
well  trained,  well  known,  and  practiced  frequently  [15],  Where  either  skill  or  knowledge  is 
insufficient  or  inappropriate,  rule  based-behavior  is  essential. 


SKILL-BASED 


RULE-BASED 

ACTION 


RULE-BASED 

DIAGNOSIS 


KNOWLEDGE-BASED 


I 


Figure  5-3:  Embrey’s  Taxonomic  System 
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Since  absolute  skill  and  knowledge  can  not  be  achieved  for  the  various  levels  of  op¬ 
eration  of  an  oil  tanker,  there  must  be  minimum  levels  of  expertise  with  appropriate  proce¬ 
dures.  Voyage  planning,  pre-underway  check-off  lists  and  explicit  communication  proce¬ 
dures  are  all  examples  of  necessary  rules  that  must  come  from  an  overall  procedural  frame¬ 
work  that  needs  to  be  developed,  evaluated,  implemented  and  enforced. 


5.7  Organizations 

The  influence  of  the  organizations  on  the  reliability  of  marine  systems  is  the  most  per¬ 
vasive  of  the  human  failure  related  accidents  [5]. 

Organizations  have  an  impact  on  individual  response  as  a  result  of  its  structure  and 
culture.  Both  structure  and  culture  are  functions  of  each  other.  As  the  NRC  states  [48]: 

The  traditional  command  and  leadership  relationship  has  been  considered 
necessary  to  maintain  order  and  discipline,  especially  when  faced  with  operating 
conditioits  that  threaten  the  vessel,  officers,  and  crew.  But  the  hierarchical  struc¬ 
ture  results  in  unidirectional,  top-down  communications.  Marine  language  and 
practices  that  derive  from  this  traditional  structuring  leave  little  room  for  the  de¬ 
velopment  of  a  culture  that  encourages  bottom-up  communication  or  the  provision 
of  rewards  when  it  happens. .  .This  may  be  an  important  deficiency  in  the  marine 
navigation  and  piloting  system. . .  Communication  of  problems  detected  by  subor¬ 
dinates  and  solutions  they  may  propose  can  be  stifled  by  the  rigidity  of  the  tradi¬ 
tional  bridge  organization  and  culture  unless  the  operating  company,  through  the 
master,  has  fostered  a  more  receptive  bridge  team  communications  environment. 

The  goals  set  by  an  organization  can  be  the  impetus  for  otherwise  rational  people  to 
make  irrational  decisions.  Pressures  to  reduce  costs  and  maintain  schedules  may  suppress  the 
prudence  of  safe  operations. 

Faulty  decisions  and  subsequent  erroneous  navigation  that  lead  to  accidents  can  be 
related  to  the  communication  flow-path  among  the  crew.  But  it  is  the  organization  which 
establishes  the  structure  of  the  communication  flow-path.  The  safety  of  passage  requires  that 
the  crew  function  as  a  team,  especially  in  a  restricted  maneuvering  setting.  Sharing  informa¬ 
tion  and  support  among  bridge  team  members  is  required  to  safely  navigate  the  range  of  haz¬ 
ards  and  conditions  encountered  [48].  Since  access  to  information  is  t)q)ically  divided  among 
the  team  members,  a  loss  in  the  smooth  functioning  of  the  team  results  in  a  break  in  the  flow 
of  information. 
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Other  aspects  of  the  organization  are  the  individual  differences  among  crew  members. 
These  differences  are  amplified  when  multi-national  crews  are  employed.  Language  barriers, 
cultural  and  economic  background  all  influence  the  cohesiveness  of  the  team. 

Fundamentally,  the  faults  described  above  can  be  broken  into  two  classes  of  problems 
facing  organizations  [5]: 

1 .  Information:  who  knows  what  and  when. 

2.  Incentive:  how  are  individuals  rewarded,  what  decision  criteria  do  they 
use,  how  do  these  criteria  fit  the  overall  objectives  of  the  organization? 

5.8  The  Environment 

External  and  internal  environments  contribute  to  human  error. 

1.  External  factors:  darkness,  extreme  temperature,  storms  and  other  natural 
phenomena. 

2.  Internal  factors:  lighting,  temperature,  noise  levels,  and  vibrations. 

Environmental  effects  can  create  psychological  and  physiological  human  responses  that  can 
exacerbate  the  potential  for  human  error. 


5.9  Summary 

Human  failures  encompass  more  than  individual  errors.  The  tendency  to  classify  all 
human  failures  as  individual  errors  has  led  to  the  notion  that  these  failures  are  a  part  of  human 
nature.  As  long  as  humans  operate  ships,  there  will  be  individual  errors.  Studies  of  the  role 
of  human  failures  in  engineered  structures  have  shown  that  they  are  inevitable  [3],  but  many 
human  failures  can  be  prevented  through  the  appropriate  management  and  technology. 

Specific  programs  which  can  be  implemented  or  enhanced  to  reduce  the  probability 
and/or  effects  of  human  failures  are: 

1 .  Qualification  and  training. 

Licensing. 

2.  Procedures. 
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Normal  Operating. 

Emergency  Operating. 

Maintenance. 

Emergency  Preparedness. 

3.  Technical  Specifications. 

4.  Human-machine  Interface. 

Bridge. 

Propulsion  Control  Rooms. 

5.  Organization  and  Management. 

Given  the  continued  rate  of  accidents  attributable  to  human  errors,  engineers,  man¬ 
agers,  and  regulators  need  to  begin  formally  addressing  human  factors  in  design,  construc¬ 
tion,  and  operations  of  marine  systems  [3]. 

The  classification  for  human  failure  has  been  presented  in  general  terms  in  order  to 
present  the  overwhelming  nature  of  the  problem.  Once  the  identification  of  system  failure 
and  sequences  has  occurred,  (step  1  of  the  basic  PRA  tasks  -  Figure  4-1),  many  of  the  fun¬ 
damental  faults  will  be  due  to  human  failures.  It  will  be  necessary  to  take  a  more  detailed 
analysis  of  causality  to  determine  the  nature  of  the  failures,  and  the  significant  factors  con¬ 
tributing  to  the  failures  in  order  to  assign  probability  values  (step  2  of  Figure  4-1). 
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Chapter  6  Planning  and  Piloting 


6.1  Navigation  Control  Model 

The  causality  of  human  failure  to  order  the  proper  course  requires  an  evaluation  of 
how  errors  are  created  in  the  ship  piloting  and  navigating  process.  It  must  be  recognized  that 
maneuvering  a  ship  on  the  proper  course  involves  the  constant  comparison  of  actual  position 
to  expected  position. 

The  piloting  process  can  be  viewed  as  a  feedback  control  system.  A  feedback  control 
system  is  a  control  system  that  tends  to  maintain  a  prescribed  relationship  of  one  system  vari¬ 
able  to  another  by  comparing  functions  of  these  variables  and  using  the  difference  as  a  means 
of  control  [14]. 

To  illustrate  the  concept  of  a  feedback  control  system,  consider  the  human  being  as 
the  controller  driving  an  automobile.  The  driver  constantly  compares  the  position  of  the 
automobile  on  the  road  with  his  idea  of  a  safe  position.  When  the  controlled/actual  position 
exceeds  an  acceptable  tolerance  from  the  reference/safe  position,  the  driver  observes  the  er¬ 
ror  and  either  turns  the  wheel,  operates  the  break,  or  operates  the  accelerator  to  minimize  the 
error. 

With  the  mariner  there  must  be  a  conscious  effort  to  fix  the  ship’s  position  and  adjust 
the  course  and  speed  as  necessary  to  either  maneuver  the  ship  back  to,  or  keep  the  ship  on, 
its  intended  track.  The  time  for  the  ship  to  react  to  a  change  in  speed  or  course  is  not  imme¬ 
diate.  Additionally,  the  environmental  conditions  significantly  affect  the  ship’s  response.  The 
competent  mariner  must  continually  seek  answers  to  the  following  questions:  “Where  is  the 
ship  now?”  and,  “Where  is  the  ship  going  to  be  in  the  next  minute;  hour;  or  day”  [23]? 
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A  simple  block  diagram  of  a  navigation  control  system  is  shown  in  Figure  6-1.*  The 
desired  course  and  speed  are  determined  by  comparing  the  planned  track  and  any  changes 
forced  by  external  events,  to  the  actual  course.  The  desired  course  has  a  feedback  structure 
to  allow  for  any  changes  imposed  by  external  events  (weather,  personnel,  mechanical  failure, 
etc.),  changes  are  then  considered  by  imposing  the  new  boundary  conditions  and  re¬ 
evaluating  for  the  intended  track. 


COURSE  CONTRa  MCCa. 


Figure  6-1:  Navigation  Control  Model 


Once  the  intended  track  (desired  course/speed)  is  deduced,  the  ordered  course/speed 
is  then  determined  by  considering  the  error  generated  through  the  process  of  comparing  the 
measured  course/speed  to  the  desired  course/speed.  An  expected  position  is  determined  from 
the  ship's  course,  speed,  and  environmental  effects  through  the  process  of  dead  reckoning. 
The  conning  officer  (the  officer  standing  watch  responsible  for  the  safe  piloting  and  naviga¬ 
tion  of  the  vessel)  must  recognize  any  errors  generated  and  act  to  minimize  those  errors. 

In  the  open  ocean,  with  little  or  no  traffic,  the  navigation  system  is  tolerant  of  errors. 

It  can  exist  in  a  failure  state  without  any  serious  ramifications.  But  as  ships  approach  narrow, 
restricted  channels  and  high  density  traffic,  the  error  tolerance  decreases  significantly. 

*  Figure  6-1  presiunes  an  elementary  knowledge  of  control  system  theory.  Dorf  [14]  provides  an  excellent 
introduction  to  control  system  theory. 
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6.2  Navigation  and  Piloting 


The  navigation  of  a  ship  is  divided  into  four  primary  classifications  [34]: 

1.  Piloting:  determining  the  position  and  movements  of  a  ship  by  reference  to 
land  and  sea  marks,  by  depth,  or  by  radar. 

2.  Dead  Reckoning:  the  projection  of  a  present  position,  or  anticipated  future 
position,  from  a  previous  known  positions  using  the  best  available  informa¬ 
tion. 

3.  Celestial  Navigation:  the  determination  of  position  by  observing  the  celes¬ 
tial  bodies. 

4.  Radio  Navigation:  the  determination  of  position  using  the  radio  frequency 
spectrum,  e.g.  radar,  satellites. 

Piloting  requires  the  greatest  experience  of  any  form  of  navigation.  Mistakes  of  navi¬ 
gation  on  the  open  ocean  can  generally  be  discovered  and  corrected  before  an  casualty  is  in¬ 
curred.  In  pilot  waters,  there  is  little  or  no  opportunity  to  correct  errors  [34]. 

The  fundamental  process  of  determining  the  ship’s  actual  position  is  through  dead 
reckoning.  The  initial  element  of  the  ship’s  dead  reckoning  (DR)  plot  is  the  fix.  A  fix  is  de¬ 
termined  by  the  intersection  of  a  least  two  simultaneous  lines  of  position  (LOPs).  The  ship 
lies  on  the  LOP  and  the  fix  localizes  the  position  by  intersecting  two  or  more  LOPs. 

The  mechanics  of  piloting  can  be  intensive.  Personnel  constraints  on  commercial  ves¬ 
sels  leave  the  act  of  navigation  and  piloting  to  one  or  two  officers.  Since  speed  and  efficiency 
are  of  prime  importance,  it  is  not  uncommon  for  the  officer  on  watch  to  rely  primarily  on  ra¬ 
dar  bearings  and  ranges,  and  on  visual  bearings  only  for  verification  or  where  the  need  for 
accuracy  dictates  [34]. 

Before  entering  restricted  waters,  a  local  certified  pilot  embarks  to  lend  expertise  in 
negotiating  the  entry.  When  the  pilot  boards,  he  must  be  immediately  acquainted  with  the 
characteristics  of  the  ship  and  a  plan  should  be  offered  for  his  approval  [6].  The  basic  pas¬ 
sage  plan  for  pilotage  waters  is  agreed  by  the  pilot  and  adjusted  to  his  advice  before  being 
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undertaken.  Having  a  pilot  on  board  does  not  relieve  the  Master  from  the  responsibility  of 
ensuring  a  safe  passage. 


6.3  Voyage  Planning 

Modem  methods  of  determining  a  ship’s  position  include  various  inertial,  radio  and 
satellite  navigation  systems.  Supplemental  to  these  electronic  methods  are  the  manual  meth¬ 
ods  for  fixing  a  ship’s  position  by  intersecting  lines  of  position.  It  must  be  remembered  that 
once  a  fix  has  been  obtained  and  plotted,  it  does  not  represent  the  location  now  or  in  the  fu¬ 
ture,  rather  it  only  reflects  where  the  ship  was  at  the  time  of  taking  the  lines  of  position.  The 
ships  projected  position  must  be  plotted  through  the  technique  of  dead  reckoning.  These 
elements  of  navigating  and  piloting  a  ship  are  integrated  through  the  process  of  voyage  plan¬ 
ning. 

The  key  to  successful  planning  of  any  voyage  is  advanced  preparation.  Planning  is  a 
fundamental  principle  of  safe  navigation  [34].  A  properly  planned  voyage  consists  of  more 
than  just  a  scheduling  of  the  courses  and  speeds  to  get  from  the  origin  to  the  destination  in  a 
specified  amount  of  time.  A  voyage  plan  must  consider  weather,  personnel,  other  shipping, 
machinery,  and  any  possible  contingencies  that  may  be  encountered.  In  a  mathematical  sense, 
voyage  planning  is  the  determination  of  the  following  integral,  where  the  necessary  consid¬ 
erations  impose  boundary  conditions  upon  the  process: 


it(destination) 
v(t)  dt 
•*t(origin) 


^final  “  ^  initial 


(5) 


Every  passage,  every  departure  from  and  entry  into  port  must  be  planned  in  advance, 
based  on  all  the  information  available.  In  voyage  planning,  the  planner  must  evaluate,  from 
the  available  information,  the  desired  route  and  any  alternative  routes  to  account  for  contin- 
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gencies.  The  essential  considerations  involved  with  planning  any  voyage  include  the  follow¬ 
ing; 

1.  Schedule;  management  of  a  tanker  requires  adherence  to  a  schedule  to 
perform  loading  and  unloading  operations  thereby  imposing  time  constraints 
for  arrival  and  departure  dates. 

2.  Navigational  Information;  Navigational  information  is  that  information 
which  is  necessary  to  detail  the  possible  safe  routes,  and  outline  any  hazards  to 
avoid  in  order  to  transit  from  the  origin  to  the  destination.  It  includes  the  ex¬ 
pected  open  ocean  and  tidal  currents,  prevailing  weather,  and  navigational 
aids. 

3.  Equipment/Personnel;  Equipment  and  personnel  considerations  impose 
time  constraints  on  the  process.  Equipment  status,  maintenance  schedules, 
and  availability  of  properly  qualified  personnel  can  compel  departure  and  arri¬ 
val  dates  which  otherwise  might  not  be  considered. 

4.  Procedures;  The  procedural  aspects  of  voyage  planning  includes  the  proc¬ 
ess  of  determining  the  aforementioned  considerations. 


Recall  that  the  planning  process  is  the  evaluation  of  equation  (5).  To  ensure  that  the 
many  facets  of  a  voyage  are  not  overlooked,  the  procedures  for  planning  a  voyage  should 
include  a  check-list  to  lay  out  all  of  the  anticipated  requirements,  such  as: 

1 .  The  required  charts  and  publications. 

2.  Expected  currents  and  tides. 

3.  Navigational  aids. 

4.  Traffic  separation  and  routing  schemes. 

5.  Navigational  warnings. 

6.  Navigational  equipment  status. 

7.  Ship’s  maneuvering  data. 

(There  are  many  more  aspects  to  consider,  reference  [6]  provides  a  more  complete  checklist.) 
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Every  passage  is  accompanied  with  the  potential  of  having  to  abandon  the  plan  owing 
to  changed  conditions  or  circumstances.  These  changed  conditions  may  arise  with  little  or 
now  warning,  allowing  no  time  for  a  full  reapprrusal.  Experience  has  shown  that  certain 
events  are  more  likely  than  others,  hence  alternative  plans  can  be  appraised  for  likely  devia¬ 
tions,  such  as  [6]; 

1.  Delay  due  to  reduced  visibility. 

2.  Pilot,  tugs,  berths  not  available. 

3.  Changed  tidal  conditions. 

4.  Breakdown  of  ship  or  equipment. 

5.  Diversion  to  a  new  destination. 

6.  The  need  to  seek  refuge  owing  to  heavy  weather. 

Prior  to  getting  under  way,  the  ship’s  preplanned  “track”  should  be  laid  down  on  the 
appropriate  charts.  The  ships  track  is  described  by  the  appropriate  course  and  speed  vectors 
which  outline  the  intended  path  that  the  ship  would  follow  over  ground.  This  track  then  rep¬ 
resents  the  desired  course  and  speed  of  the  ship. 

In  conjunction  with  plotting  the  track,  safe  limits  of  navigation  should  be  clearly 
marked.  Safe  limits  of  navigation  should  be  referenced  to  a  precomputed  visual  bearing,  ei¬ 
ther  to  a  prominent  landmark,  or  navigational  aid.  Additionally,  “turn  bearings”  should  be 
annotated  and  referenced  in  the  same  manner  in  order  to  turn  the  ship  at  the  correct  time. 

Knowledge  of  the  ships  maneuvering  characteristics  is  vital  in  pilotage  waters.  Spe¬ 
cifically,  consideration  must  be  taken  of 

1 .  Advance:  the  distance  gained  in  the  original  direction  until  the  ship  stead¬ 
ies  on  her  new  course. 

2.  Transfer:  the  distance  gained  at  right  angles  to  the  original  course,  meas¬ 
ured  from  the  line  representing  the  original  direction  of  travel  to  the  point  of 
completion  of  the  turn. 

3.  Head  reach:  the  distance  that  a  ship  will  travel  from  the  point  where  action 
is  taken  to  stop  it  to  the  point  where  it  is  dead  in  the  water. 
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The  distances  required  to  turn  or  stop  a  large  ship  can  thousands  of  yards.  The  response  in 
shallow  water  becomes  degraded. 

In  the  evaluation  process  there  are  spatial  and  temporal  constraints  that  must  be  con¬ 
sidered.  The  spatial  constraints  dictate  the  course  of  the  track  in  order  to  avoid  any  hazards 
to  navigation.  Temporal  constraints,  which  are  imposed  by  schedules,  affect  the  speed  of  the 
track.  Consideration  must  be  made  of  weather,  shipping  channel  speed  limits,  and  the  ma¬ 
neuverability  of  the  vessel. 


6.4  Summary 

Planning,  piloting,  and  navigating  are  rudimentary  processes  for  the  operation  of  any 
ship.  To  properly  assess  the  risks  of  tanker  operations,  there  must  be  a  fundamental  under¬ 
standing  of  the  planning,  piloting  and  navigating  processes.  The  concepts  will  be  further  ex¬ 
ploited  to  develop  the  fault  tree  used  to  model  tanker  risks. 
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Chapter  7  Developing  the  Fault  Tree 

7.1  Classification  of  Spills 

The  first  step  in  assessing  the  probability  of  impact  (Figure  4-3),  is  to  identify  system 
failures  and  sequences.  Fault  trees  provide  a  systematic  methodology  to  identify  system  fail¬ 
ures.  The  first  step  in  developing  the  fault  tree  is  to  determine  the  top  event.  The  top  event 
will  be  accidental  oil  outflow.  However,  there  is  no  typical  tanker  vessel  accident  scenario 
that  leads  to  pollution  [47],  so  it  is  necessary  to  categorize  the  major  classes  of  accidents 
which  result  in  pollution.  Tanker  incidents  are  typically  categorized  as  follows: 

1.  Collision 

2.  Grounding. 

3.  Fire/explosion. 

4.  Structure/hull  failure. 

Figure  7-1  [47]  graphically  displays  the  causes  of  major  oil  spills  from  tankers  for 
1976  to  1989.  For  each  class  of  accidents,  initiating  events  must  be  developed  which  pro¬ 
duce  the  top  event. 

With  the  major  classes  of  accidents  classified  as  in  Figure  7-1,  the  next  step  is  to 
structure  each  class  of  accident  in  a  fault  tree.  Figure  7-2  shows  the  first  level  of  a  fault  tree 
for  a  tanker  accident  that  results  in  the  top  event  of  accidental  oil  outflow. 
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7.2  Groundings  as  a  First  Analysis 


Groundings  and  collisions  together  represent  the  largest  contribution,  by  volume  and 
number  of  incidents,  to  oil  pollution.  When  analyzing  a  collision,  an  In  Extremus  situation 
necessarily  precedes.  In  Extremus  situations  require  both  vessels  to  maneuver  to  avoid  colli¬ 
sion.  The  fundamental  cause  of  a  collision,  regardless  of  the  vessel,  is  the  failure  to  maneuver 
to  avoid  the  collision.  Many  of  the  same  avoidance  factors  that  are  functions  of  collisions  are 
relevant  to  groundings.  The  difference  between  the  collision 

and  grounding  analysis  is  the  number  of  ships  involved.  Where  the  collision  necessarily  in¬ 
volves  the  dynamics  of  two  ships,  the  grounding  involves  one.  The  NRC  found  that  for  tank¬ 
ers  over  10,000  dwt,  grounding  events  dominate  in  terms  of  both  numbers  of  accidents  and 
volume  spilled  [47].  Hence,  the  first  analysis  will  be  for  the  grounding  accident. 

As  the  fundamental  cause  of  a  collision  is  allowing  another’s  vessel  to  get  too  close, 
an  analogous  statement  may  be  said  of  a  grounding:  the  sole  cause  is  allowing  one’s  vessel  to 
venture  into  waters  where  the  draft  exceeds  the  depth  [7]. 

Cahill  [7]  describes  a  series  of  well-documented  groundings.  The  fundamental  reason 
for  allowing  the  vessel’s  draft  to  exceed  the  depth  of  water  for  those  groundings,  was  an  im¬ 
proper  human  response  to  an  indication.  In  essence,  human  failures  prevail  as  the  predomi¬ 
nate  factors  in  grounding  accidents. 


7.3  Developing  the  Grounding  Fault  Tree 

To  fiirther  develop  the  fault  tree  for  groundings,  recall  that  a  grounding  is  caused  by 
the  ship  entering  an  area  where  the  draft  exceeds  the  depth.  It  becomes  necessary  to  deter¬ 
mine  why  the  ship  has  encountered  that  situation.  Fundamentally,  the  ship  can  either  follow  a 
safe  track  or  an  unsafe  track.  An  unsafe  track  necessarily  intersects  a  hazard.  (The  hazard  is 
that  encounter  where  the  draft  exceeds  the  depth.) 

A  vessel  can  survive  in  a  failure  state  if  it  does  not  intersect  a  hazard.  Interest  lies 
only  in  the  case  where  the  infinite  possible  combinations  of  integrating  the  velocity  vector 
result  in  the  final  position  of  the  ship  the  same  as  the  hazard: 
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(6) 


*t(destination) 
v(t)  dt 

•  t(origin) 


^hazard"  ^  initial 


Given  that  the  grounding  failure  state  is  the  state  of  interest,  the  ship  is  following  an 
unsafe  track.  Because  the  ship  is  proceeding  down  an  unsafe  track,  there  are  two  concerns  to 
investigate: 

1.  The  ship  is  able  to  follow  a  safe  track 

2.  The  ship  is  unable  to  follow  a  safe  track. 


If  the  ship  is  able  to  follow  a  safe  track,  then  a  determination  must  be  made  of  why  it  is  pro¬ 
ceeding  down  an  unsafe  track.  Figure  7-3  depicts  these  concepts  in  the  fault  tree. 


Figure  7-3:  Basic  Grounding  Fault  Tree 


By  deductively  reducing  each  successive  step  in  the  top-down  approach,  the  fiinda- 
mental  causes  of  groundings  can  be  understood  and  evaluated.  Continuing  with  these  seem¬ 
ingly  rudimentary  steps  in  order  to  determine  successive  causes  will  create  the  complete  fault 
tree  shown  in  Figure  7-4.  The  process  of  developing  the  fault  tree  is  subsequently  described. 
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Figure  7-4:  Grouading  Fault  Tree 


7.4  The  Actual  Course  Follows  an  Unsafe  Track 


The  ship’s  actual  course  is  following  an  unsafe  track,  yet  there  is  nothing  physically 
preventing  the  ship  from  following  a  safe  track.  Thus,  two  options  can  be  deduced: 

1 .  The  desired  track  is  unsafe. 

2.  The  course  has  deviated  from  a  desired  safe  track. 

Given  that  the  ship  is  capable  of  following  a  safe  track,  then,  when  the  desired  track  inter¬ 
sects  a  hazard,  causality  is  constrained  to  the  planning  process.  However,  when  the  ship’s 
course  deviates  from  a  desired  safe  track  to  an  unsafe  track,  causality  is  constrained  to  the 
piloting  process. 


7.4.1  The  Desired  Track  is  an  Unsafe  Track 

It  is  necessary  to  determine  where  in  the  planning  process  that  the  desired  track  be¬ 
comes  coincident  with  an  unsafe  track  leading  to  a  grounding.  The  coincidence  of  a  desired 
track  and  a  grounding  track  can  occur  under  two  different  scenarios; 

1.  Properly  planned  track:  the  process  of  planning  has  been  completed  satis¬ 
factorily. 

2.  Improperly  planned  track:  errors  have  occurred  in  the  planning  process 

Planning  includes  both  the  initial  voyage  planning,  and  the  dynamic  planning  which  is 
done  as  a  result  of  external  conditions  imposing  new  constraints. 

The  importance  of  proper  planning  can  be  illustrated  through  the  use  of  the  navigation 
control  model.  Clearly,  if  the  ship  navigation  control  system  were  completely  accurate,  then 
groundings  would  not  occur  due  to  deviations  of  the  actual  course  from  the  desired  track. 

But  even  accurate  systems  will  yield  an  undesirable  response  if  the  input  is  incorrect.  As  the 
colloquialism  goes  “garbage  in  -  garbage  out.”  For  example,  a  ship  proceeding  without  the 
correct  chart  reflects  an  improper  input  to  the  control  system.  Regardless  of  how  accurate 
the  fix,  if  the  intended  track  intersects  an  unknown  hazard  to  navigation,  the  accuracy  of  the 
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control  system  is  irrelevant  and  the  reliability  of  the  system  becomes  limited  by  the  reliability 
of  the  input. 

Dynamic  planning  incorporates  the  same  planning  process ,  but  it  is  done  because 
some  unanticipated  event  (weather,  mechanical  failure,  another  ship  crossing  the  bow,  etc.) 
has  imposed  new  constraints  upon  the  voyage.  Dynamic  planning  is  inherently  a  part  of  navi¬ 
gating  and  piloting  a  ship.  It  often  requires  a  rapid  decision,  and  it  is  typically  a  quality  of  a 
skillful  conning  officer. 

When  the  course  is  properly  planned  with  all  available  information  but  still  intersects  a 
hazard,  the  fault  lies  in  the  information  itself  (e.g.  incorrect  charts).  The  planner  has  utilized 
the  most  current  information  and  evaluated  the  intended  tracks  properly.  But  because  the 
most  current  information  does  not  reflect  the  most  current  conditions,  the  intended  track  in¬ 
tersects  a  grounding  hazard. 

Groundings  can  and  do  occur  due  to  inaccurate  charts.  Nautical  charts  are  prepared 
from  the  latest  available  hydrographic  surveys.  Only  a  small  portion  of  U.S.  waters  have 
been  surveyed  using  the  most  advanced  techniques,  and  60  percent  of  the  soundings  shown 
on  nautical  charts  are  based  on  lead-line  surveys  conducted  over  45  years  ago  [48]. 

For  an  improperly  planned  course,  the  voyage  planning  process  has  not  been  com¬ 
pleted  to  success: 

1.  The  wrong  information  is  used:  the  correct  information  is  available  but  is 
not  used  resulting  in  the  wrong  constraints  placed  upon  the  planning  evalua¬ 
tion. 

2.  Insufficient  information  is  used:  the  planning  process  is  based  upon  in¬ 
complete  knowledge  of  the  voyage. 

7.4.2  Actual  Course  Deviates  from  a  Safe  Desired  Track 

The  ship  can  be  on  the  wrong  course  because  it  has  deviated  from  the  desired  track. 
Recall  from  the  navigation  control  model,  in  Figure  6-1,  that  deviations,  which  occur  as  the 
actual  course  diverges  from  the  desired  track,  create  error  signals  which  the  conning  officer 
must  recognize.  The  inaccuracy  of  the  system  is  reflected  when  there  is  either  a  failure  to 
recognize  that  the  ship’s  actual  position  differs  from  its  estimated  position,  or  a  difference  in 
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actual  verses  desired  position  results  in  insufficient  action  to  eliminate  the  difference.  After 
the  difference  is  recognized,  there  must  be  an  overt  action  to  adjust  the  ordered  course  to 
keep  the  error  as  close  to  zero  as  possible. 

Before  proceeding  any  further  it  is  necessary  to  review  how  a  difference  error  is  rec¬ 
ognized.  Most  ships  require  a  proactive  interface  between  the  sensors  and  the  conning  offi¬ 
cer.  The  conning  officer  must  take  the  initiative  in  the  process.  The  proactive  process  of  pi¬ 
loting  a  ship  is  dead-reckoning.  Errors  are  detected  by  taking  lines  of  position  to  fix  the  ship 
and  compare  the  fix  to  the  track.  There  will  always  be  an  error  signal  when  the  actual  course 
deviates  from  the  desired  track.  That  signal  may  be  masked  by  instrument  error,  or  electri¬ 
cal/mechanical  failure  of  navigation  systems,  but  the  error  still  exists  and  can  be  checked  by 
visual  lines  of  bearing  to  navaids,  or  celestial  fixes,  etc. 

The  heart  of  navigation  control  model  then,  is  the  human  decision  process  of  deter¬ 
mining  if  there  is  an  error,  and  how  much  action  is  required  to  reduce  the  error.  Given  that 
an  error  exists  in  the  difference  between  actual  course  and  desired  track,  that  error  can  either 
be  detected  or  continue  to  go  unrecognized. 

If  the  difference  error  is  not  detected  then  causality  is  constrained  to  the  fix  or  lack 
thereof.  If  the  diflFerence  error  is  recognized,  then  there  must  be  a  determination  of  why  in¬ 
sufficient  action  was  taken. 

7.4.2.a  The  Difference  Error  is  Recognized 

The  possible  actions  which  result  in  grounding  after  recognizing  that  the  actual  course 
differs  from  the  desired  track  are: 

1.  Untimely  action:  the  right  action  is  taken  but  not  in  time  to  preclude  an 
accident. 

2.  Erroneous  action:  the  wrong  action  is  taken. 

It  is  assumed  that  all  the  information  is  available  to  the  conning  officer  and  the  difference  er¬ 
ror  is  recognized  in  sufficient  time  to  preclude  a  grounding.  Hence,  untimely  or  incorrect  ac¬ 
tion  in  response  to  the  difference  error  is  either  a  failure  of  the  conning  officer  to  respond 
sufficiently  to  the  error,  or  the  helmsman  to  act  promptly  to  the  conning  officer’s  orders. 
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7.4.2.b  The  Difference  Error  is  Not  Recognized 


If  the  difference  between  the  actual  course  and  the  desired  track  goes  unrecognized, 
then  the  failure  lies  solely  with  the  conning  officer.  Recall  that  the  conning  officer  must  com¬ 
pare  all  of  the  following: 

1.  Position  Sensors:  gyro,  compass,  lookout,  radar  errors. 

2.  Position  Measurements:  procedural  errors  it  taking  lines-of-position. 

3.  Position  Estimates:  procedural  errors  in  dead-reckoning. 

The  breakdown  in  the  loop  occurs  in  the  proactive  process  which  must  be  initiated  by  the 
conning  officer.  Typically  causality  lies  in  inattention.  The  NRC  listed  inattentiveness  as  the 
primary  cause  of  maritime  accidents  [45].  But  there  are  other  reasons  which  may  cause  a 
conning  officer  to  be  distracted  from  his  duties,  and  these  were  outlined  in  chapter  5. 


7.5  Summary  of  the  Course  Proceeding  down  an  Unsafe 
Track 

Figure  7-7  summarizes  the  fault  tree  for  the  actual  course  proceeding  down  an  unsafe 
track.  Basically,  the  faults  occur  because  of  either  planning  errors  or  piloting  errors. 


63 


GROUNCUNG 


THE  ACTUAL 
COURSE PROCEEDS 
DOWN  AN  UNSAFE 
TRACK 


ABLE  TO 
FOLLOW  SAFE 
TRACK 


Figure  7-5:  Fault  Tree  for  Actual  Course  Proceeding  down  an  Unsafe  Track 


6. 


7.6  Unable  to  Steer  the  Ordered  Course 


The  correct  course  is  known  but  the  ship  that  is  unable  to  steer  that  course.  In  this 
case,  the  ship  is  necessarily  subjected  to  a  number  of  parallel  factors.  All  of  the  following 
must  occur: 

1 .  Lost  way:  the  ship  has  lost  its  ability  to  be  effectively  controlled 

2.  Unsafe  wind/current:  when  the  ship  has  lost  way,  there  must  be  the  neces¬ 
sary  wind/current  to  force  the  ship  into  the  grounding  situation. 

3.  Anchor  failure:  given  that  the  ship  is  unable  to  d3mamically  control  its 
course,  the  anchor  must  fail  allowing  the  environment  to  control  the  inevita¬ 
ble. 

4.  Assistance  failure:  in  addition  to  the  above,  there  must  be  a  failure  of  as¬ 
sistance  to  prevent  the  grounding. 

Figure  6-14  shows  the  partial  fault  tree  for  the  inability  to  steer  the  correctly  ordered 


course. 


Figure  7-6:  Partial  Fault  Tree  for  the  Inability  to  Steer  the  Ordered  Course 
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7.6.1  The  Ship  has  Lost  Way 


For  the  ship  to  have  lost  way  it  is  no  longer  able  to  be  controlled.  This  would  imply 
that  the  ship  has  lost  steering  or  propulsion.  Without  getting  into  the  details  particular  to  a 
specific  ship,  failure  of  these  mechanical  systems  can  be  attributed  to  maintenance,  operation, 
or  material  failure.  Additionally,  given  a  material  failure,  the  crew  is  unable  to  repair  the  fail¬ 
ure  before  the  ship  intersects  the  hazard. 


7.6.2  Unsafe  Wind/Current 

For  the  ship  to  encounter  a  grounding  given  that  it  has  lost  way,  it  must  be  forced  into 
the  hazard  by  the  wind/current.  Many  ships  lose  way  while  at  sea,  yet  never  encounter  an 
accident.  It  is  essential  that  the  environment  force  the  ship  into  the  hazard  for  the  hazard  to 
occur. 


7.6.3  Anchor  Failure 

Tankers  will  have  two  anchors.  Anchors  on  large  tankers  can  weigh  as  much  as 
50,000  pounds  each.  But  as  ships  have  gotten  larger,  the  anchors  have  not  done  so  propor¬ 
tionately.  The  ratio  of  the  anchor  weight  to  the  deadweight  tonnage  has  dwindled  fi'om  about 
0.6  to  0.2  [8].  The  anchors  of  large  tankers  are  suitable  for  anchorage  in  designated  areas, 
but  with  any  significant  way  on  the  ship  when  dropping  anchor,  the  momentum  becomes  too 
great  for  the  anchors  to  handle. 

As  a  mechanical  system,  the  anchor  system  failure  is  subject  to  the  same  causality  as 
the  propulsion  and  steering  systems;  maintenance,  operational,  and  material  failure.  Addi¬ 
tionally,  consideration  should  be  made  for  the  case  when  the  anchor  is  not  operated  at  all. 
Many  vessels  have  run  aground  when  prudent  letting-go  of  the  anchor  would  have  prevented 
the  catastrophe.  There  are  also  times  where  the  environmental  conditions  preclude  effective 
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anchor  usage.  The  ocean  bottom  either  does  not  lend  it  self  to  holding  the  anchor  or  the 
depth  gradient  is  too  steep. 


7.6.4  Assistance  Failure 

Tugs  or  salvage  ships  can  be  essential  to  preventing  a  catastrophe.  The  availability 
and  functionality  of  assist  ships  is  particular  to  a  given  port.  Implicit  failure  of  assistance  oc¬ 
curs  if  it  is  not  requested.  Once  requested,  the  failure  can  occur  if  the  assistance  does  not 
arrive,  or  if  the  assistance  is  unable  to  put  the  ship  on  a  safe  track.  The  inability  of  the  assist 
ship  to  put  the  damaged  ship  on  a  safe  track  can  be  caused  by  either  the  assist  ship  arriving 
too  late,  operational  errors  in  securing  a  tow  line,  or  the  assist  ship  is  too  small  to  prevent  the 
damaged  ship  from  grounding. 


7.7  Summary  of  Ship  Unable  to  Follow  a  Safe  Track 

Figure  7-9  shows  the  fault  tree  for  the  grounding  where  the  ship  is  unable  to  follow  a 
safe  track. 
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Figure  7-7;  Fault  Tree  For  Ship  Unable  to  Follow  a  Safe  Track 


7.8  Summary 

The  use  of  a  fault  tree  to  ascertain  the  areas  of  risk  are  essential  to  an  overall  risk  as¬ 
sessment.  Starting  from  the  hazardous  outcome,  or  top-event,  and  logically  progressing 
downward  through  sequential  levels  of  causation,  the  fault  tree  points  to  system  weaknesses 
by  deductively  determining  the  sources.  Once  this  systematic  approach  has  developed  all  the 
root  causes  for  groundings,  the  result  is  a  qualitative  assessment. 

The  fault  tree  is  a  way  of  decomposing  the  event,  not  a  way  of  explaining  why.  As 
such,  the  grounding  fault  tree  is  a  logical  model  representing  a  qualitative  characterization  of 
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the  system.  The  postulated  fault  events  in  the  grounding  fault  tree  are  not  exhaustive.  De¬ 
ductively  and  inductively,  they  represent  the  most  likely  events. 
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Figure  7-8:  Grounding  Fault  Tree 


Chapters  Applications 


8.1  Validation 

To  validate  the  utility  of  the  fault  tree  previously  developed,  the  following  paragraphs 
outline  some  well  documented  groundings.  The  fundamental  elements  of  the  groundings  are 
then  taken  from  the  fault  tree.  Sources  for  the  grounding  descriptions  are  taken  from  Cahill, 
Perrow,  and  Moore. 


8.2  The  Torr^  Canyon 

The  Torrey  Canyon,  en  route  from  the  Persian  Gulf  to  the  United  Kingdom,  ran 
aground  on  March  18,  1967  on  the  Seven  Stones  shoal  between  the  Scilly  Isles  and  the 
Southwest  coast  of  England. 

As  the  Torrey  Canyon  prepared  for  arrival  in  Milford  Haven,  England,  her  draft  was 
slightly  over  the  limit  for  the  port  and  the  ship  required  some  cargo  shifting  to  achieve  the 
minimum  draft.  The  cargo  shifting  was  estimated  to  take  about  5  hours,  and  the  Master  felt 
constrained  by  time  in  order  to  make  high  water  at  Milford  Haven  by  2300  on  March  18th, 
1967. 

The  last  celestial  fix  was  taken  less  than  300  miles  south  of  the  Scilly  Isles  and 
showed  to  ship  to  be  on  the  intended  track.  Prior  to  the  Master  retiring  for  the  evening,  he 
left  orders  to  steer  018"  at  approximately  15  knots.  He  was  to  be  called  when  either  the  ship 
came  within  radar  landfall,  or  0600,  whichever  came  first. 
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The  intended  track  of  the  Torrey  Canyon  was  to  pass  west  of  the  Scilly  Isles  before 
turning  east  to  approach  Milford  Haven.  There  was  no  authorization  in  the  Master’s  order  to 
allow  for  set  or  drift,  even  though  the  winds  were  from  the  Northwest  at  about  5  knots  with  a 
moderate  sea. 

Radar  landfall  of  the  Scilly  Isles  was  attained  at  approximately  0630.  But  the  islands 
appeared  off  the  port  bow,  implying  that  the  wind/current  had  set  the  ship  to  the  east  of  the 
intended  track. 

When  the  conning  officer  (the  Chief  Officer)  noticed  the  difference  error,  he  altered 
course  to  006“  and  called  the  Master  to  inform  him  of  the  course  change.  There  was  a 
documented  strained  relationship  between  the  Master  and  the  Chief  Officer,  and  when  the 
Master  was  informed  of  the  course  change,  he  asked  if  the  original  course  would  take  the 
ship  right  of  the  Scilly  Isles.  The  conning  officer  quickly  answered  “yes”,  and  the  Master  or¬ 
dered  the  ship  to  the  original  course.  The  conning  officer  had  not  made  a  correct  assessment, 
but  returned  the  ship  to  the  original  course  and  shifted  to  hand  steering. 

When  the  Master  came  to  the  bridge  at  0700,  28  miles  from  where  it  would  eventu¬ 
ally  ground,  he  still  had  time  to  accurately  assess  the  situation.  But  that  assessment  would 
not  take  place.  The  Master  had  decided  to  pass  between  the  Scilly  Isles  and  the  Seven 
Stones.  Still,  no  accounting  was  taken  for  set  or  drift,  and  a  copy  of  the  Sailing  Directions 
for  the  Scilly  Isles  was  not  on  board  ( the  Sailing  directions  would  have  advised  against  this 
action). 

As  the  ship  approached  the  Seven  Stones,  the  method  of  obtaining  a  fix  was  by  a  sin¬ 
gle  bearing  and  radar  range.  This  method  of  fixing  a  ship  is  imprudent  and  subject  to  large 
errors.  As  a  result,  no  on  board  knew  the  actual  position  of  the  ship. 

To  further  complicate  the  situation,  the  Master  became  distracted  with  a  number  of 
fishing  vessels.  And  while  it  is  judicious  to  keep  the  helm  in  a  manual  steering,  mode,  the 
Master  made  two  course  changes  and  switched  the  helm  back  to  automatic. 

As  the  ship  passed  the  northern  most  Scilly  Isles,  the  plan  was  to  turn  to  port  and 
leave  the  Seven  Stones  to  starboard.  From  the  0840  fix,  the  Master  ordered  a  course  of  due 
North.  As  the  Master  realized  the  hazardous  situation,  there  was  confusion  in  trying  to  return 
the  helm  to  manual.  At  0850  the  Torrey  Canyon  ran  aground. 
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Utilizing  the  fault  tree  to  analyze  this  accident,  one  can  see  that  the  ship  is  able  to 
follow  a  safe  track  but  it  proceeds  on  a  course  down  an  unsafe  track.  While  the  ship  was 
following  the  unsafe  track,  there  were  failures  to  detect  any  difference  error  imposed  by  the 
set  and  drift  of  the  ship.  When  the  Extremus  situation  was  realized,  there  was  a  delay  in  or¬ 
dering  manual  steering  and  untimely  response  of  the  helmsman  to  respond.  The  following 
summarizes  the  mishap: 

1.  Errors  made  in  planning  track:  insufficient  information  was  used  to  de¬ 
termine  the  desired  track.  The  Sailing  Directions  for  the  Scilly  Isles  were  not 
on  board,  current  tables  were  not  referenced,  and  there  was  no  accounting  for 
set  and  drift. 

2.  Difference  error  was  not  detected:  Errors  were  made  in  position  meas¬ 
urements,  position  estimates,  and  there  was  a  failure  of  the  conning  officer  to 
recognize  the  error. 

3.  Insufficient  action  was  taken  to  eliminate  the  error:  there  was  untimely  ac¬ 
tion  on  behalf  of  both  the  conning  officer  to  order  manual  steering ,  and  the 
helmsman  was  delayed  in  switching  to  manual  steering. 

Figure  8-1  highlights  those  portions  of  the  fault  tree  which  represent  the  grounding  of 
the  Torrey  Canyon. 
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Figure  8-1:  Fault  Tree  for  Toney  Canyon  Grounding 


8.3  The  Transhuron 


The  Transhuron  was  a  reconfigured  T-2  tanker.  When  the  ship  was  “jumboized”,  in 
1966,  air  conditioning  was  installed,  but  the  air  conditioning  piping  was  installed  in  the  vicin¬ 
ity  of  the  mdn  propulsion  switch  board.  In  spite  of  regulations  prohibiting  piping  runs  in  the 
vicinity  of  switch  boards,  the  installation  was  approved,  and  passed  inspection  by  the  USCG. 
The  air  conditioning  system  was  subsequently  modified  and  an  iron  nipple  was  placed  on  a 
bronze  condenser  to  hold  a  gauge.  The  dissimilar  metals  on  the  condenser  accelerated  cor¬ 
rosion.  When  the  nipple  failed,  water  was  sprayed  onto  the  main  propulsion  switchboard  re¬ 
sulting  in  a  loss  of  propulsion.  The  Transhuron  subsequently  grounded  and  broke  up  near 
Kitlan  Island,  in  the  Laccadives,  off  the  southwest  coast  of  India. 

The  Transhuron  was  en  route  fi'om  Bahrain  to  the  Philippines  loaded  with  over 
100,000  barrels  of  fuel  oil.  On  September  18,  1974,  the  ship  got  under  way  with  the  fath¬ 
ometer  broken,  and  a  day  later  the  ship’s  only  radar  failed.  The  ship  was  reduced  to  rely 
upon  celestial  navigation  and  a  gyro  compass  for  navigation. 

On  September  24,  at  0300,  the  nipple  failed  and  shorted  the  main  propulsion  switch¬ 
board.  There  were  ineffectual  attempts  to  stop  the  machinery,  but  none  to  deenergize  the 
equipment.  The  fixed  and  semi-portable  CO2  systems  failed.  The  crew  was  forced  to  use 
small  portable  CO2  bottles  to  fight  the  fire.  Only  then,  was  consideration  given  to  deenergiz¬ 
ing  the  equipment.  With  power  secured,  the  fire  was  quickly  put  out,  but  damage  to  the  pro¬ 
pulsion  control  unit  was  beyond  repair. 

The  Master  immediately  sent  an  urgent  message  to  the  head  office  in  New  York,  via  a 
relay  at  Cochin  Radio  India,  informing  them  of  the  situation  and  requesting  tug  services.  A 
series  of  fixes  were  taken  and  it  was  ascertained  that  the  ship  was  120  miles  northwest  of 
Kitlan  Island,  and  drifting  directly  towards  the  island  at  a  rate  of  2  knots. 

When  no  reply  was  received  from  New  York,  the  Master  sent  another  urgent  message 
via  the  Cochin  relay.  Meanwhile,  several  vessels  had  offered  assistance,  but  the  Master  was 
reluctant  to  take  responsibility.  The  head  office  reply  was  received  at  1600  on  the  25th, 
nearly  3 1  hours  later.  It  was  then  that  the  Transhuron  became  aware  that  Cochin  Radio  did 
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not  recognize  urgent  messages,  and  all  messages  were  handled  in  the  order  received.  The 
head  office  remained  unaware  of  this  situation. 

The  weather  had  degraded,  making  it  impossible  to  fix  the  position  of  the  ship.  Near 
midnight  of  the  25th,  a  Norwegian  tanker  informed  the  Transhuron  that  Chetlat  Island  was 
just  under  8  miles  fi-om  their  present  position.  This  information  showed  that  Kitlan  Island 
was  little  more  than  20  miles  to  the  southeast  and  the  ship  was  continuing  to  drift  towards  it. 
Still,  the  Master  insisted  on  waiting  for  direction  from  the  head  office  before  summoning 
help. 

On  the  morning  of  the  26th,  Chetlat  and  Kitlan  Islands  were  within  sight.  Through 
bearing  lines,  the  ship  was  determined  to  be  15  miles  from  Kitlan  Island  at  0620.  With  an 
inevitable  grounding  less  than  ten  hours  away,  and  still  no  word  from  the  head  office,  the 
Master  attempted  another  message. 

At  1100  the  Master  finally  decided  to  take  unilateral  action  and  put  out  a  general  dis¬ 
tress  call.  A  number  of  ships  responded,  but  all  were  over  100  miles  away.  At  1245  another 
distress  call  was  sent,  this  time  the  nearest  response  was  from  the  Japanese  ship,  Toshima 
Mam,  45  miles  away. 

Had  the  fathometer  been  working,  the  Transhuron  could  have  ascertained  an  anchor¬ 
age,  but  without  either  a  fathometer  or  detailed  charts  of  the  area,  the  ship  was  unable  to  de¬ 
termine  an  anchorage  and  resolve  the  severity  of  the  situation. 

When  the  Toshima  Mam  arrived  at  1600,  it  attempted  to  get  a  line  over.  The  3rd 
Mate  of  the  Toshima  Mam  was  injured  and  the  Lyle  gun  damaged  when  attempting  to  shoot 
the  line  over  to  the  Transhuron.  The  Toshima  Mam  decided  to  abandon  the  rescue  and  pro¬ 
ceed  to  the  nearest  port  for  medical  attention. 

The  Master  of  the  Transhuron  persuaded  the  Toshima  Mam  to  attempt  to  tow  them 
a  half  mile  away  from  the  Island.  It  was  now  nearly  1800.  As  the  Toshima  Mam  approached 
the  Transhuron,  at  1812  the  Transhuron  grounded.  Only  now  did  the  Master  order  the  an¬ 
chor  walked  out. 

The  Transhuron  subsequently  was  abandoned  and  broke  up  with  ship  and  cargo  a 
total  loss. 
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The  fundamental  elements  resulting  in  the  grounding  of  the  Transhuron  are  a  result  of 
the  ship  being  unable  to  follow  a  safe  track: 

1.  Lost  way:  the  ship  suffered  a  loss  of  propulsion  due  to  a  material  failure. 

2.  Necessary  wind/current:  the  wind/current  caused  the  Transhuron  to  drift 
into  the  shoal  water  in  the  vicinity  of  Kitlan  Island. 

3.  Assistance  failure:  assistance  arrives,  but  there  are  operational  errors  in 
getting  a  line  over,  but  even  the  line  had  gotten  over,  it  is  questionable  that 
there  was  enough  time  to  preclude  the  grounding.  The  delay  in  requesting 
assistance  seems  to  motivate  the  assistance  failure. 

4.  Anchor  failure:  anchor  failure  is  due  to  not  considering  dropping  the  an¬ 
chor.  Not  having  a  fathometer,  it  might  have  been  prudent  to  walk  the  anchor 
out  such  that  it  would  hold  once  the  depth  permitted. 

Figure  8-2  highlights  the  fault  tree  for  the  grounding  of  the  Transhuron. 


77 


3 

GROUNDWG 


UNABLE  TO 
FOLLOW  SAFE 
TRACK 


7^ 


Figure  8-2:  Fault  Tree  for  Transhuron  Grounding 


8.4  The  Amoco  Cadiz 

On  March  16,  1977,  Amoco  Cadiz  grounded  east  ofUshant,  and  subsequently 
broke  up  on  the  rocks  of  Roche  De  Portsall  on  the  Brittany  Coast. 


Sailing  in  gale  force  winds,  the  Amoco  Cadiz  lost  steering  at  0946  in  the  Ushant  traf¬ 
fic  separation  scheme.  The  Master  investigated  the  damage  with  the  Engineering  Officer. 

The  seriousness  of  the  situation  should  have  been  realized,  but  when  the  Master  returned  to 
the  bridge  at  1020,  he  did  not  think  of  either  summoning  for  assistance,  or  dropping  anchor, 
despite  being  only  10  miles  from  a  lee  shore. 

At  1 100,  the  Amoco  Cadiz  was  broadside  to  the  wind  and  seas,  approaching  the  coast 
of  Brittany.  The  Master  finally  realized  the  seriousness  of  the  situation  and  requested  assis¬ 
tance  fi’om  the  port  control.  The  tug  Pacific  was  contacted,  but  no  mention  was  made  of  a 
larger  tug,  Simson,  belonging  to  the  same  owners  and  nearby. 

The  Pacific  arrived  on  the  scene  at  1220.  but  disagreement  on  salvage  terms  delayed 
the  tug  fi’om  getting  a  line  over  to  the  Amoco  Cadiz.  A  line  was  finally  over  at  1400  and  the 
Pacific  attempted  to  swing  the  bow  over  to  a  more  westerly  heading.  But  the  Pacific  proved 
to  be  inadequate.  The  Amoco  Cadiz's  southeast  drift  was  checked,  but  the  wind  had  shifted 
to  the  northwest  and  the  vessels  were  being  moved  east.  Finally  the  tow  line  parted  at  about 
1600. 

With  the  coast  visible  and  about  6  miles  away,  the  Master  attempted  to  slow  the  drift 
by  putting  the  engines  full  astern.  The  effect  was  to  swing  the  stem  into  the  northwest  wind, 
while  the  ship  drifted  northeast,  parallel  to  the  coast. 

Seeing  the  effect,  the  tug  captain  decided  to  attempt  a  tow  from  astern.  To  rig  fi-om 
the  stem  necessitated  stopping  the  engines,  and  thereby,  allowing  the  Amoco  Cadiz  to  con¬ 
tinue  its  drift  straight  for  the  rocks.  The  Amoco  Cadiz  stopped  her  engines  at  about  1900, 
but  rough  seas  precluded  getting  a  line  fi'om  the  tug  to  the  Amoco  Cadiz. 

Earlier,  the  Master  had  ordered  that  the  port  anchor  be  made  ready  for  letting-go. 
After  an  hour  of  drifting,  and  tug  still  stmggling  to  get  a  line  over,  the  Master  ordered  the 
port  anchor  dropped.  But  the  momentum  of  the  ship  prevented  the  anchor  fi'om  holding, 
and  the  seas  prevented  getting  the  starboard  anchor  ready.  It  was  not  until  2030  that  a  line 
was  over  from  the  tug. 

At  2055  the  tow  was  secure  and  able  to  begin.  But  at  2104  the  Amoco  Cadiz 
grounded  aft.  The  Master  ordered  all  power  secured  to  minimize  the  chance  of  an  explosion. 
With  the  hull  holed,  but  ship  still  moving  in  seaway,  the  ship  stmck  ground  ag£un  at  about 
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2130.  The  Pacific  continued  to  attempt  pulling  the  Amoco  Cadiz  but  the  line  parted  at 
2215.  The  situation  became  hopeless.  The  Simson  arrived  at  2300  but  too  late  to  offer  any 
assistance.  Subsequently,  all  hands  were  evacuated  and  the  ship  broke  up. 

In  evaluating  the  Amoco  Cadiz  grounding,  the  ship  was  unable  to  follow  a  safe  track 
due  to  having  lost  way  with  an  anchor  failure,  an  assistance  failure,  and  the  required  wind  and 
current  to  force  the  ship  onto  the  rocks.  The  fundamental  elements  of  the  grounding  are  as 
follows: 

1.  Lost  steering:  a  material  failure  of  the  steering  system  prevented  the  ship 
from  making  way. 

2.  Anchor  failure:  there  were  operational  errors  in  that  the  starboard  anchor 
was  never  made  ready  for  letting  go,  and  there  was  a  material  failure  of  the 
port  anchor. 

3.  Assistance  failure:  the  assistance  was  inadequate  in  that  the  assist  ship  was 
too  small  to  put  the  Amoco  Cadiz  on  a  safe  track. 

The  fault  tree  for  the  Amoco  Cadiz  grounding  is  shown  in  Figure  8-3. 
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Figure  8-3:  Fault  Tree  for  the  Grounding  of  the  Amoco  Cadiz 


8.5  Tht  Exxon  Valdez 

At  21 12,  March  23,  1989,  the  Exxon  Valdez  got  underway  from  the  Valdez  Alaska, 
heading  for  Long  Beach  California.  There  were  reports  of  ice  flows  from  the  Columbia  Gla¬ 
cier  blocking  part  of  the  traffic  separation  scheme.  The  Master  and  the  Chief  Engineer  had 


discussed  the  possibility  of  delaying  the  departure  until  daylight,  but  the  Master  decided  to 
stick  with  the  evening’s  departure  schedule.  Once  underway,  the  ice  flows  were  verified 
with  the  ship’s  radar. 

At  2324,  the  pilot  departed  the  ship  and  the  Master  notified  the  VTS  of  the  pilots  de¬ 
parture  and  the  intention  of  diverting  from  the  traffic  separation  scheme.  The  Master’s  inten¬ 
tion  was  to  continue  outbound  in  the  inbound  lane  to  avoid  the  ice  flows.  The  VTS  reported 
that  no  inbound  traflBc  would  be  encountered. 

While  the  3rd  Mate  was  assisting  the  pilot  off  the  ship,  the  Master  was  alone  on  the 
bridge  with  the  helmsman.  Shortly  after  the  pilot  departed  he  ordered  a  course  of 200°,  and 
an  increase  in  speed.  He  noticed  on  the  radar  that  more  ice  was  further  east,  so  he  ordered  a 
course  of  180°.  After  the  ship  steadied  up  on  the  ordered  course,  the  Master  ordered  the 
helmsman  to  shift  to  automatic  pilot. 

When  the  3rd  Mate  returned  to  the  bridge,  the  Master  told  him  that  the  intended  plan 
was  to  remain  on  a  course  of  180°  until  the  ship  cleared  the  ice  just  below  Busby  Island.  The 
turn  should  commence  once  the  ship  was  abeam  of  Busby  Island.  Feeling  satisfied  with  the 
3rd  Mate’s  competency,  the  Master  left  the  bridge. 

At  2355,  the  Busby  Island  light  was  abeam  of  the  Exxon  Valdez.  The  ship  was  still 
accelerating  to  sea  speed.  The  helmsman  was  relieved  and  only  upon  reporting  his  relief  did 
the  3rd  Mate  realize  the  ship  was  in  automatic  pilot.  The  helmsman  was  ordered  to  place  the 
ship  back  into  hand  steering  and  the  3rd  Mate  became  preoccupied  with  the  radar  screen  as¬ 
sessing  the  ice  flow. 

The  ship  had  passed  the  Busby  Island  light.  At  2356,  the  3rd  Mate  ordered  a  10° 
right  rudder  and  called  the  Master  to  inform  him  that  he  had  started  the  turn.  He  did  not  tell 
the  Master  that  he  had  passed  Busby  Island  light  before  executing  the  maneuver.  Two  min¬ 
utes  later,  the  3rd  Mate  realized  that  the  ship  had  not  swung  appreciably.  He  ordered  the 
helm  to  increase  the  rudder  angle  to  20°.  The  lookout  reported  a  red  flashing  light  to  star¬ 
board.  The  3rd  Mate  ordered  a  hard  right  rudder.  The  ship  began  to  rapidly  swing,  and  at 
0004  the  heading  had  reached  234°,  but  the  helmsman  was  anticipating  an  ordered  course 
between  235  and  245,  and  he  began  to  check  the  swing  of  the  ship.  At  0007  the  Exxon  Val¬ 
dez  was  hard  aground  on  Bligh  Reef 
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The  Exxon  Valdez  held  an  unsafe  track,  even  though  it  was  capable  of  following  a 
safe  track.  The  planning  was  appropriate,  and  the  skill  necessary  to  execute  the  plan  was  not 
beyond  what  should  of  been  expected.  Prudence  may  have  meant  delaying  the  underway 
until  daylight,  but  common  sense  dictated  that  the  Master  not  leave  the  bridge.  As  the  course 
deviated  from  a  safe  track  after  it  came  abeam  of  Busby  Island  light,  the  fundamental  error 
was: 

1 .  Insufficient  action  to  eliminate  the  error:  untimely  action  was  taken  by  the 
conning  officer  to  order  a  course  change  and,  an  untimely  response  was  taken 
by  the  helmsman.  There  seem  to  be  some  confusion  in  shifting  to  manual 
steering,  and  the  helmsman  checked  the  swing  of  the  ship,  anticipating  an  or¬ 
dered  course. 

Figure  8-4  highlights  the  fault  tree  for  the  grounding  of  the  Exxon  Valdez. 
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Figure  8-4:  Fault  Tree  for  the  Grounding  of  the  Exxon  Valdez 


8. 


8.6  TheBraer 


On  January  3,  1993,  with  a  severe  weather  forecast,  the  Braer  got  underway  from 
Mongstad,  Norway  with  a  full  load  of  light  crude  to  deliver  to  Quebec.  As  soon  as  the  ship 
was  in  open  ocean,  it  begin  to  encounter  heavy  seas.  Severe  rolling  and  pitching  required  the 
speed  to  be  limited  and  the  deck  was  regularly  awash  by  the  waves.  By  midnight  of  the  first 
night  at  sea,  the  speed  made  good  was  only  3  knots. 

Just  after  midnight,  the  boiler  high  and  low  level  alarms  began  sounding  due  to  the 
severe  pitching  and  rolling.  To  prevent  an  automatic  shutdown,  the  2nd  Engineer  adjusted 
the  water  level  controller  but  failed  to  inform  any  of  his  superiors. 

On  the  morning  of  the  4th,  the  Chief  Engineer  and  the  Chief  Officer  became  con¬ 
cerned  about  some  pipes  that  had  been  stowed  on  deck.  They  investigated  and  found  that  in 
fact,  the  pipes  were  loose  and  rolling  around  on  deck.  The  loose  pipes  were  reported  to  the 
Master,  but  he  decided  to  wait  until  the  weather  cleared  to  stow  them.  No  one  seem  to  ap¬ 
preciate  the  fact  that  the  pipes  were  rolling  against  the  air  intake  of  the  ships  fuel  tanks. 

On  the  evening  of  the  4th,  the  auxiliary  boiler  began  malfunctioning.  This  boiler  was 
necessary  to  pre-heat  the  heavy  oil  used  for  the  main  engines.  Thus,  until  repairs  could  be 
affected,  the  main  engines  were  switched  to  diesel  oil. 

It  was  discovered  that  the  diesel  oil  supply  to  the  auxiliary  boiler  was  contaminated 
with  seawater.  As  attempts  were  made  to  drain  the  seawater,  it  was  discovered  that  the  die¬ 
sel  supply  to  the  main  engines  and  the  generator  was  also  contaminated.  Drainage  of  the 
seawater  was  continued,  and  the  Master  notified,  but  the  heavy  pitching  and  rolling  precluded 
the  settling  tanks  from  being  effective. 

At  0440  on  the  morning  of  the  5th,  the  main  engine  stopped.  A  short  time  later  the 
generator  stopped  resulting  in  a  loss  of  all  main  power.  Efforts  to  drain  the  fuel  tanks  con¬ 
tinued  but  no  one  recognized  the  source  of  contamination  as  the  broken  air  intakes  on  the 
deck.  The  attempts  to  drain  the  water  by  transferring  oil  from  storage  to  settling  tanks  had 
contaminated  all  of  the  fuel  on  board. 

The  Braer  was  10  miles  south  of  Sumburg  Head,  the  southern  tip  of  the  Shetland  Is¬ 
lands.  At  0515,  the  Master  reported  his  situation  and  position  to  the  Coastguard.  The  Mas- 
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ter  requested  tug  assistance  but  would  not  commit  to  any  financial  agreement  without  ap¬ 
proval  of  the  head  office  in  New  York.  The  Master  was  advised  that  it  would  take  2  to  3 
hours  for  a  tug  to  reach  Brear  once  a  commitment  was  made.  What  the  Master  failed  to 
check  was  his  drift:.  The  Braer  was  drifting  north  at  2  knots  directly  toward  the  Shetland  Is¬ 
lands. 

Nearly  2  hours  after  the  engines  had  stopped  the  Coastguard  had  gotten  permission 
from  the  Braer ’s  managers  in  New  York.  Meanwhile,  the  Braer  had  drifted  to  within  6  miles 
of  the  coast,  yet,  the  Master  still  believed  he  was  10  miles  away. 

The  Coastguard  immediately  requested  tugs  and  initiated  a  helicopter  evacuation  of 
the  Braer 's  crew.  When  the  helicopter  arrived  at  0640,  the  Braer  was  rolling  heavily  in  se¬ 
vere  seas  with  winds  gusting  at  65  knots.  The  engineers  were  still  trying  to  restore  power, 
but  with  the  vessels  drift  rate,  it  was  decided  to  abandon  the  ship  before  the  tug  arrived.  The 
helicopter  evacuation  was  complete  at  0830  and  Braer  was  about  1  mile  from  the  coast. 

Shortly  after  the  ship  was  abandoned,  the  northerly  drift  ceased,  and  Braer  began  to 
drift  west.  During  the  evacuation,  dropping  the  anchors  was  apparently  never  considered. 
Only  after  all  personnel  were  off  the  ship  was  there  some  discussion  of  placing  personnel 
back  on  the  ship  to  drop  the  anchors.  But  the  foremast  prevented  the  helicopter  from  operat¬ 
ing  in  the  wcinity  of  the  bow  and  the  idea  was  rejected. 

When  the  tug  arrived,  no  one  was  on  Braer  to  secure  the  towing  lines.  The  ship  be¬ 
gan  to  drift  north  toward  the  shore  again.  Volunteers  were  landed  on  the  stem  of  Brear  to 
secure  the  lines,  but  they  were  unsuccessful  due  to  fouling  of  the  messenger  lines.  The  Brear 
subsequently  grounded  around  1130  January  5,  1993. 

The  Brear  was  unable  to  follow  a  safe  track.  The  fundamental  elements  of  this 
grounding  are  as  follows: 

1.  Lost  way:  the  ship  lost  propulsion  due  to  a  material  failure  of  the  fuel  tank 
air  intakes  on  deck. 

2.  Necessary  wind/current:  sufficient  wind/current  existed  to  cause  the 
northerly  drift  into  the  Shetland  Islands. 

3.  Anchor  failure:  the  anchor  was  never  considered  until  the  ship  was  aban¬ 
doned. 


86 


4.  Assistance  failure:  the  delay  imposed  by  waiting  for  permission  from  New 
York  caused  the  tugs  to  arrive  too  late. 

Figure  8-5  shows  the  fault  tree  for  the  grounding  of  the  Braer. 


Figure  8-5:  Fault  Tree  for  the  Braer  Grounding 
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8.7  Fault  Tree  Utility 

The  application  of  the  aforementioned  tankers  to  the  grounding  fault  tree  has  shown 
its  utility.  As  a  qualitative  tool,  the  fault  tree  has  been  utilized  to  identify  the  system  faults. 

As  a  model,  all  of  the  case  studies  fit  nicely  into  the  fault  tree,  but  the  fault  tree  does 
not  represent  a  complete  picture  of  events.  There  are  a  number  of  factors  that  influence  the 
fundamental  events  that  lead  to  a  grounding.  The  fault  tree  does  not  tell  the  whole  story. 
Research  into  the  probabilities  of  the  root  causes  will  allow  a  quantitative  evaluation  to  con¬ 
tinue  on  to  the  next  step  in  the  PRA. 
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Chapter  9  Conclusion 


9.1  The  Next  Step 

Recall  the  required  tasks  necessary  to  perform  a  PRA  of  the  tanker  industry.  Table  9- 
1  recapitulates  the  required  tasks. 


Table  9-1:  Tasks  Required  to  Perform  a  PRA  of  the  Oil  Tanker  Industry 


Step 

Task 

1: 

Identify  the  combination  of  system  failures  which  can  lead  to  an  accident. 

2: 

Determine  the  probability  of  each  failure. 

3; 

Determine  the  probability  distribution  of  oil  outflow  for  each  failure. 

■ 

Determine  the  transport  and  fate  of  the  released  oil  for  the  prevailing  weather 

conditions. 

m 

Assess  the  economic  and  environmental  effects. 

6: 

Determine  the  overall  risk  assessment  for  each  of  the  failure  sequences  identi¬ 
fied. 

Only  the  first  step  has  been  accomplished,  and  only  for  tanker  groundings. 

The  next  step  in  the  performance  of  the  PRA  for  tanker  groundings  is  to  assign  probability 
values.  It  is  necessary  to  analyze  each  of  the  fundamental  causes  in  the  fault  tree  and  deter¬ 
mine  the  significant  factors  that  must  be  considered.  Once  considered,  those  factors  must  be 
assigned  probability  values.  This  is  the  most  critical  portion  of  the  PRA  and  it  will  require 
careful  consideration. 
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There  are  a  number  of  methods  that  can  be  used  to  integrate  human  failure  factors 
into  the  PRA,  each  of  which  has  characteristics  that  are  beneficial.  Since  there  are  limitations 
and  difficulties  in  current  human  reliability  analysis,  there  should  be  a  careful  consideration  of 
the  available  methods  prior  to  integrating  the  human  factors.  Table  9-2  classifies  the  catego¬ 
ries  of  common  human  reliability  models.  There  is  no  single  model  that  captures  all  impor¬ 
tant  human  errors  and  predicts  their  probabilities  [39]. 

Table  9-2:  Haman  Reliability  Analysis  Models 


Simulation  Models 

Analytical  Methods 

Maintenance  Personnel  Performance 

Simulation 

Paired  Comparison 

Technique  for  Human  Error 

Rate  Prediction 

Cognitive  Environment  Simulation 

Direct  Numerical  Estimation 

Human  Cognitive  Reliability 

Correlation 

Time  Reliability  Correlation 

9.2  Caveat  Emptor 

When  developing  a  PRA  for  oil  spills  it  is  important  to  recognize  the  areas  of  uncer¬ 
tainty.  The  PRA  is  a  discrete  analysis.  Therefore,  it  is  unable  to  account  for  the  infinite 
number  of  possibilities.  Ideally,  a  PRA  considers  all  the  important  aspects  that  lead  to  the 
undesired  event,  but  there  is  the  possibility  that  important  contributions  have  been  over¬ 
looked. 

With  any  model,  there  are  uncertainties  due  to  the  necessary  approximations  made  in 
developing  the  model.  The  human  failure  factors  are  t3^ically  the  largest  source  of  uncer¬ 
tainty  in  a  PRA.  Another  source  of  uncertainty  is  inherent  with  the  complexity  of  the  system. 
There  is  uncertainty  in  system  behavior  sensitivity  due  to  the  subjective  nature  of  the  analysis. 

Despite  the  uncertainties,  it  is  important  to  develop  the  probabilistic  risk  so  that  per¬ 
ceived  risk  does  not  produce  irrational  behavior.  The  performance  of  a  risk  analysis  reduces 
the  uncertainty  concerning  some  of  the  elements  of  risk  so  the  resources  can  be  better  allo¬ 
cated. 
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9.3  Pricis 


As  the  demand  for  oil  continues  to  rise,  there  are  expectations  that  tanker  demand  will 
increase.  Estimates  from  1985  indicate  that  tanker  accidents  contribute  400,000  tons  of  oil 
pollution  to  the  seas.  There  is  some  evidence  that  this  value  has  gone  down,  hoewver,  unless 
there  are  appropriate  steps  taken,  it  can  easily  be  conjectured  that  pollution  will  rise  with  the 
ton-miles  of  tanker  cargo. 

The  maritime  industry  has  historically  been  known  for  risk  taking,  but  the  conse¬ 
quences  of  failure  have  become  enormous.  International  and  domestic  attempts  at  regulation 
have  been  discrete  and  reactionary.  The  maritime  culture,  economics,  and  regulatory  bodies 
all  contribute  to  create  a  system  that  can  be  characterized  as  error-inducing.  There  has  been 
little  effort  to  characterize  the  system  as  a  whole  and  determine  the  areas  offering  the  greatest 
potential  for  risk  reduction. 

Chapter  4  outlines  the  steps  required  to  perform  an  overall  risk  assessment.  A  com¬ 
plete  PRA  can  allow  all  parties  to  focus  on  those  areas  offering  the  greatest  potential  for  re¬ 
duction. 

The  first  step  of  a  PRA  is  to  identify  system  failures  and  sequences.  The  fault  tree  for 
tanker  groundings  was  developed  to  determine  the  failures  and  sequences.  The  utility  of  the 
fault  tree  was  then  confirmed  from  case  studies  of  well-documented  groundings. 

The  bottom  layer  of  the  fault  tree  describes  the  fundamental  causes  for  tanker 
groundings.  Qualitatively,  human  failure  and  individual  error  are  significant  in  the  progres¬ 
sion  of  events  leading  to  a  tanker  grounding. 

Despite  the  qualitative  nature  of  the  analysis,  it  does  point  out  areas  which  can  offer 
significant  reductions  in  the  risks  associated  with  tanker  operations.  Many  of  the  system  fail¬ 
ures  are  a  result  of  technology  and  management 

Once  the  PRA  is  completed,  by  allocating  resources  in  the  areas  that  are  risk  relevant, 
rather  than  trying  to  alleviate  all  conceivable  hazards,  the  performance  of  a  risk  analysis  of 
and  by  itself  can  reduce  risk  as  knowledge  and  awareness  are  gained  [15].  Additionally,  if  the 
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process  of  risk  assessment  is  dynamic,  the  uncertainties  will  diminish  with  time.  As  the  NRC 
states  [48]: 


Marine  safety  could  benefit  from  increased  use  of  quantitative  and  qualitative  risk 
analysis  in  developing  risk  reduction  strategies.  This  approach  is  a  proven  methodology 
that  could  form  a  solid  basis  for  identifying,  developing,  and  evaluating  the  risk  reduction 
options 


Even  though  the  ratio  of  oil  spilled  to  oil  transported  is  extremely  small,  there  is 
plenty  of  room  for  improvement.  The  upshot  is  that  there  is  momentum  in  the  industry  for 
change.  The  outlined  systematic  approach  offered  by  a  PRA  yields  the  areas  of  change  to 
which  the  industry  can  focus. 


92 


Bibliography 

[1]  Ashford  N.,  “An  Innovation-Based  Strategy  for  the  Environment,”  ff^orsf  Things  First: 
The  debate  Over  Risk-Based  National  Environmental  Priorities,  Finkel  A.,  Golding  D.  eds. 
Resources  for  the  Future,  Washington  D.C.,  1994. 

[2]  Aspland  J.,  “Nine  Switches  of  Alertness,”  Proceedings  of  the  Marine  Safety  Council, 

Vol.  52,  No  3,  May-June,  1995. 

[3]  Bea  R.G.,  Moore  W.H.,  “Operational  Reliability  and  Marine  Systems,”  New  Challenges 
to  Understanding  Organizations,  Roberts  K.H.,  Macmillan  Publishing  Co.,  New  York,  1993. 

[4]  Bea  R.G.,  Moore  W.H.,  “Reliability  Based  Evaluations  of  Human  and  Organization  Er¬ 
rors  in  Reassessment  &  Requalification  of  Platforms,”  International  Offshore  Mechanics  and 
Arctic  Engineering  Conference  Safety  and  Reliability  Symposium,  No.  OMAE  94-1272,  Feb., 
1994. 

[5]  Bea  R.G.,  The  Role  of  Human  Error  in  Design,  Construction,  and  Reliability  of  Marine 
Structures,  Ship  Structure  Committee,  SSC-378,  Nov.  1994. 

[6]  Bole  A.G.,  Dineley  W.,  Nicholls  C.E.,  The  Navigation  Control  Manual,  Willliam  Heine- 
mann  Ltd,  London,  1987. 

[7]  Cahill  R.A.,  Strandings  and  their  Causes,  Fairplay  Publications  LTD,  London,  1985. 

[8]  Cahill  R.  A.,  Disasters  at  Sea:  Titanic  to  Exxon  Valdez,  Nautical  Books,  San  Antonio, 
1991. 

[9]  Christie  D.R.,  Coastal  and  Ocean  Management  Law,  West  Publishing  Co.,  St.  Paul, 

1994. 

[10]  Clark  R.,  “Recovery:  The  Untold  Story  of  Valdez  Spill,”  Forum  for  Applied  Research 
and  Public  Policy,W\TA&[,  1991. 

[11]  Cowan  E.,  Oil  and  Water,  The  Torrey  Canyon  Disaster,  J.B.  Lippincott  Co.,  New 
York,  1968. 

[12]  Cox  S.J.,  TaitN.R.S.,  Reliability,  Safety  &  Risk  Management:  An  Integrated  Approach, 
Butterworth-Heinemann  LTD,  Oxford,  1991. 

[13]  Davidson  A.,  In  the  Wake  of  the  Exxon  Valdez:  The  Devastating  Impact  of  the  Alaska 
Oil  Spill,  Sierra  Club  Books,  San  Francisco,  1990. 

[14]  Dorf  R.C.,  Modem  Control  Systems,  Addison-Wesley  Publishing  Co.,  New  York,  1989. 


93 


[15]  Dougherty  E.M.,  Fragola  J.R.,  Human  Reliability  Analysis,  John  Wiley  &  Sons,  New 
York,  1988. 

[16]  Doyle  J.,  Crude  Awakening:  The  Oil  Mess  in  America,  Friends  of  the  Earth,  Washington 
D.C.,  1994. 

[17]  Farrington  J.W.,  “Oil  Pollution:  A  Decade  of  Research  and  Monitoring,”  Oceanus  Vol. 
28  No.  3,  Fall,  1985. 

[18]  Gardenier  J.S.,  “Ship  Navigational  Failure  Detection  and  Diagnosis,”  Human  Detection 
and  Diagnosis  of  System  Failures,  Edited  by  Rasmussen  J.,  Rouse  W.B.,  Plenum  Press  New 
York,  1980. 

[19]  Green  A.E.,  Safety  Systems  Reliability,  John  Wiley  &  Sons  Ltd.,  New  York,  1983. 

[20]  Grose  V.L.,  “Technology’s  Impact  on  Human  Risk,”  Proceedings  of  the  Marine  Safety 
Council,  May- June,  1995. 

[21]  Gunner  T.J.,  Edwards  D.A.,  Gunner  and  Edwards  on  the  Carriage  of  Crude  Oil  by  Sea, 
Lloyds  of  London  Press,  London,  1986. 

[22]  Healey  T.,  “Industry  Must  be  Involved,”  Proceedings  of  the  Mariners  Safety  Council, 
Vol.  52  No.  2,  March-April ,  1995. 

[23]  Hobbs  R.R.,  Marine  Navigation  1:  Piloting,  Naval  Institute  Press,  Annapolis,  1981. 

[24]  Homstein  D.,  “Reclaiming  Environmental  Law;  A  Normative  Critique  of  Comparative 
Risk  Analysis,”  Columbia  Law  Review,  Vol.  92,  pi  562-633,  1992. 

[25]  Jenner  B.P.,  “Risk  Control  through  Quality  Management  (Future  Development  and 
Tools),”  IMAS  92,  Quality  of  Shipping  in  the  Year  2000,  Nov.,  1992. 

[26]  Jones  R.B.,  “The  Enemy  From  Within,”  Proceedings  of  the  Marine  Safety  Council,  Vol. 
52,  No  3,  May-June,  1995. 

[27]  Katsouros  M.H.,  “Oil  Spills”,  The  Energy-Environment  Connection,  Hollander  J.M., 
editor.  Island  Press,  Washington  D.C.,  1992 

[28]  Kelso  D.D.,  Brown  M.D.,  “Policy  Lessons  from  Exxon  Valdez,”  Forum  for  Applied  Re¬ 
search  and  Public  Policy,  Winter,  1991. 

[29]  Krier  J.E,  Gillette  C.P.,  “The  Un-Easy  Case  for  Technological  Optimism,”  Michigan 
Law  Review,  Vol.  84:405,  December,  1985. 


94 


[30]  Kristiansen  I.S.,  Rensvik  E.,  “Human  and  Organisational  Factors  in  Safe  Operation  and 
Pollution  Prevention,”  IMAS  92,  Quality  of  Shipping  in  the  Year  2000,  November,  1992. 

[3 1]  Kristiansen  I.S.,  “An  approach  to  Systematic  Learning  from  Accidents”,  Paper  1 1, 
IMAS  95,  Management  and  Operation  of  Ships:  Practical  Techniques  for  Today  and  Tomor¬ 
row,  The  Institute  of  Marine  Engineers,  1995. 

[32]  Landman  R.  A,  “Why  Use  Risk-Based  Technology?,”  Proceedings  of  the  Marine  Safety 
Council,  Vol.  52,  No  3,  May-June,  1995. 

[33]  Lowry  I.J.,  “Improving  Mariner/Ship  Interaction,”  Technology,  Vol  31,No.2, 

April  1994. 

[34]  Maloney  E.S.,  Dutton’s  Navigation  and  Piloting,  Naval  Institute  Press,  Annapolis, 
1985. 

[35]  Mandler  M.B.,  “Coast  Guard  Probes  Human  Factors,”  Proceedings  of  the  Marine 
Safety  Council,  Vol.  52,  No  3,  May-June,  1995. 

[36]  Mannschreck  W.  A.,  Analysis  of  Surface  Ship  Mishaps,  Naval  Safety  Center,  Naval  Air 
Station  Norfolk,  1994. 

[37]  Marks  A.,  Elements  of  Oil  Tanker  Transportation,  PennWell  Publishing  Co.,  Tulsa, 
1982. 

[38]  Mielke  J.E.,  “Oil  Spills:  Is  the  Perception  Worse  than  the  Reality?,”  Forum  for  Applied 
Research  and  Public  Policy,  Winter,  1991. 

[39]  Modarres  M. ,  What  Every  Engineer  Should  Know  A  bout  Reliability  and  Risk  Analysis, 
Marcel  Dekker,  Inc,  New  York,  1995. 

[40]  Mostert  N.,  Supership,  Alfred  A.  Knopf,  Inc.,  New  York,  1974. 

[41]  Moore  W.H.,  Bea  R.G.,  Roberts  K.H.,  “Improving  the  Management  of  Human  and  Or¬ 
ganization  Errors  (HOE)  in  Tanker  Operations,”  The  Society  of  Naval  Architects  and  Marine 
Engineers,  The  Ship  Structure  Committee,  Ship  Structures  Symposium  93,  November,  1993. 

[42]  Moore  W.H.,  “The  Grounding  of  Exxon  Valdez:  An  examination  of  the  Human  and  Or¬ 
ganizational  Factors,”  Mar/we  Technology,  Vol.  31,  No.  1,  January,  1994. 

[43]  Moore  W.H.,  Bea  R.G.,  “Management  of  Human  and  Organisational  Error  Throughout 
a  Ship’s  Life  Cycle,”  Paper  18,  IMAS  95,  Management  and  Operation  of  Ships:  Practical 
Techniques  for  Today  and  Tomorrow,  The  Institute  of  Marine  Engineers,  1995. 

[44]  Nalder  E.,  Tankers  Full  of  Trouble,  Grove  Press,  New  York,  1994. 


95 


[45]  National  Research  Council,  Panel  on  Human  Error  in  Merchant  Marine  Safety ,  Mari¬ 
time  Transportation  Research  Board,  Human  Error  in  Merchant  Marine  Safety ^  National 
Academy  of  Sciences,  National  Academy  Press,  Washington  D.C.,  1976. 

[46]  National  Research  Council,  Committee  on  the  Effect  of  Smaller  Crews  on  Maritime 
Safety,  Marine  Board,  Crew  Size  and  Maritime  Safety,  National  Academy  of  Sciences,  Na¬ 
tional  Academy  Press,  Washington  D.C.,  1990. 

[47]  National  Research  Council,  Committee  on  Tank  Vessel  Design,  Marine  Board,  Tanker 
Spills:  Prevention  by  Design,  National  Academy  of  Sciences,  National  Academy  Press, 
Washington  D.C.,  1991. 

[48]  National  Research  Council,  Committee  on  Advances  in  Navigation  and  Piloting,  Marine 
Board,  Minding  the  Helm,  Marine  Navigation  and  Piloting,  National  Academy  of  Sciences, 
National  Academy  Press,  Washington  D.C.,  1994. 

[49]  Natural  Resources  Defense  Council,  No  Safe  Harbor:  Tanker  Safety  in  America ’s  Ports, 
NRDC,  New  York,  1990. 

[50]  Natural  Resources  Defense  Council,  Safety  at  Bay:  A  Review  of  Oil  Spill  Prevention 
and  Cleanup  in  U.S.  Waters,  NRDC,  New  York,  1992 

[51]  Noble  P.G.  ,  “Safer  Transport  of  Oil  at  Sea:  A  Social  Responsibility  for  Naval  Architects 
and  Marine  Engineers,”  A/ar/we  Technology,  Vol.  30,  No.2,  April  1993. 

[52]  Notthoflf  A.,  “Spill  Sparks  Reform,  Leaves  Lasting  Scar,”  Forum  for  Applied  Research 
and  Public  Policy,  Wmter,  1991. 

[53]  Perrow  C.,  Normal  Accidents,  Basic  Books,  New  York,  1984. 

[54]  Ramakumar  R.,  Engineering  Reliability:  Fundamentals  and  Applications,  Prentice-Hall, 
Englewood  Cliffs,  New  Jersey,  1993. 

[55]  Rasmussen  N.,  “A  Description  of  Probabilistic  Safety  Assessment  Applied  to  Nuclear 
Power  Plants,”  (unpublished),  July,  1994. 

[56]  Ratcliffe  M.,  Liquid  Gold  Ships  -  A  History  of  the  Tanker,  1859-1984,  Lloyd’s  of 
London  Press,  New  York,  1985. 

[57]  Reason  J.,  Human  Error,  Cambridge  University  Press,  New  York,  1990. 

[58]  Rutherford  D.,  Tanker  Cargo  Handling,  Charles  GrifiBn  &  Co.,  LTD,  London,  1980. 

[59]  Sanders  M.  S.,  McCormick  E.  J.,  Human  Factors  in  Engineering  and  Design,  McGraw- 
Hill,  New  York,  1987 


96 


[60]  Sheehan  D.,  “Oil  Pollution  Act  of  1990:  Offshore  Oil  Spills,  the  Tanker  Business,  and 
the  Regulation  of  Pollution  Control,”  Marine  Technology  Science  Journal,  Vol  27,  No.  1  p 
70. 

[61]  Sipes  J.D.,  RADM  USCG,  “Oil  Pollution  Act  of  1990,”  Naval  Engineers  Journal,  July 

1991. 

[62]  Sullivan  G.,  Supertanker!,  Dodd,  Mead  &  Co.  New  York,  1978. 

[63]  United  Nations  Conference  on  Trade  and  Development,  Review  of  Maritime  Transport 

1992,  United  Nations,  New  York,  1993 

[64]  U.S.  Department  of  Transportation,  Preliminary  Regulatory  Impact  Analysis:  Financial 
Responsibility  for  Water  Pollution  (Vessels),  USCG,  July 12,  1993. 

[65]  von  Zharen  W.M.,  Duncan  W.,  “Environmental  Risk  Assessment  and  Management  in 
the  Maritime  Industry:  The  Interaction  with  ISO  9000,  ISM  and  ISM  Management  Sys¬ 
tems,”  Annual  Meeting  of  The  Society  of  Naval  Architects  and  Marine  Engineers,  No.  7, 
1994. 

[66]  WASH-1400  (NUREG  75/014),  Reactor  Safety  Study,  An  Assessment  of  Accidental 
Risks  in  US  Commercial  Nuclear  Power  Plants.,  October,  1975. 

[67]  Wilson  M.B.,  “The  Significance  of  Human  Factors  in  the  Prevention  of  Marine  Spills,” 
Technical  Proceedings,  Maritime  Environmental  Symposium  94,  American  Society  of  Naval 
Engineers,  Society  of  American  Military  Engineers,  February,  1994. 

[68]  Young  C.,  “Seafarer  Standards  to  be  Revised,”  Proceedings  of  the  Marine  Safety 
Council,  Vol.  52,  No  3,  May- June,  1995. 


97 


